Analysis Report DHLAWB# 9284880911 pdf.exe

Overview

General Information

Sample Name: DHLAWB# 9284880911 pdf.exe
Analysis ID: 402352
MD5: 72208e35ab96b53baffd99165d2f50cb
SHA1: ca1a5cefafcd9e4f37bb3880d96aa0fb86043cf1
SHA256: a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exe ReversingLabs: Detection: 10%
Multi AV Scanner detection for submitted file
Source: DHLAWB# 9284880911 pdf.exe ReversingLabs: Detection: 10%
Yara detected Nanocore RAT
Source: Yara match File source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHLAWB# 9284880911 pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: DHLAWB# 9284880911 pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\vCohllGlVk\src\obj\Debug\StringHandleOnStack.pdb source: DHLAWB# 9284880911 pdf.exe
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbI source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.234251673.0000000007540000.00000002.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000004.00000002.483898535.0000000005CB0000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05513430
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_05513421
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 4_2_06846808
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 4_2_06846818
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then mov esp, ebp 4_2_06843508
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4x nop then mov esp, ebp 4_2_06843518

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 23.105.131.171:4040
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 23.105.131.171:4040
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 23.105.131.171
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49725 -> 23.105.131.171:4040
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA28CE WSARecv, 4_2_05AA28CE
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207004883.000000000195D000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.226163799.0000000005880000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212524209.000000000588D000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212025172.0000000005889000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212524209.000000000588D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.226163799.0000000005880000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceTF
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com-uA
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comc
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207425359.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comic
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208706639.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/MI:H
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/TS
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnb-n
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnerslH
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnk-s
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cns-m
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/RT
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ito
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8T
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ko
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/liquwT
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207260612.000000000589B000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207260612.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comibiT
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krZ
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kre
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krtriFH
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207630084.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comh
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207580705.000000000589B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comtn
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.226833624.00000000015C8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.481253287.000000000383B000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.37f1288.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b178d1.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.5b80000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055015E2 NtQuerySystemInformation, 0_2_055015E2
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055015B1 NtQuerySystemInformation, 0_2_055015B1
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA136A NtQuerySystemInformation, 4_2_05AA136A
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA132F NtQuerySystemInformation, 4_2_05AA132F
Detected potential crypto function
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_00E38EF6 0_2_00E38EF6
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_00E3C644 0_2_00E3C644
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_00E37693 0_2_00E37693
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A23B8 0_2_031A23B8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A5A18 0_2_031A5A18
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A1E50 0_2_031A1E50
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031AD518 0_2_031AD518
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A4950 0_2_031A4950
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A5140 0_2_031A5140
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031AD960 0_2_031AD960
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A6878 0_2_031A6878
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A975A 0_2_031A975A
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A23A8 0_2_031A23A8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031ADBF0 0_2_031ADBF0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031AE268 0_2_031AE268
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A76B0 0_2_031A76B0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A86D8 0_2_031A86D8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A86C8 0_2_031A86C8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A76C0 0_2_031A76C0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8AF0 0_2_031A8AF0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8AE0 0_2_031A8AE0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031ACD38 0_2_031ACD38
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A6D28 0_2_031A6D28
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A5550 0_2_031A5550
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8141 0_2_031A8141
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031AE990 0_2_031AE990
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A3DB0 0_2_031A3DB0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8DC5 0_2_031A8DC5
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A681F 0_2_031A681F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A4898 0_2_031A4898
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8891 0_2_031A8891
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A8CA9 0_2_031A8CA9
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031A88A0 0_2_031A88A0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05511471 0_2_05511471
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05510070 0_2_05510070
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05510B20 0_2_05510B20
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055104D0 0_2_055104D0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055130C0 0_2_055130C0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05510B10 0_2_05510B10
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05511A13 0_2_05511A13
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05510006 0_2_05510006
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055104C0 0_2_055104C0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055117F1 0_2_055117F1
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055119BB 0_2_055119BB
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_00FB8EF6 4_2_00FB8EF6
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_00FBC644 4_2_00FBC644
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_00FB7693 4_2_00FB7693
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_0596ACC8 4_2_0596ACC8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05963850 4_2_05963850
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05969068 4_2_05969068
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05968468 4_2_05968468
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_059623A0 4_2_059623A0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05962FA8 4_2_05962FA8
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_0596912F 4_2_0596912F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_0596306F 4_2_0596306F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_0684781F 4_2_0684781F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06844068 4_2_06844068
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06844C68 4_2_06844C68
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06842270 4_2_06842270
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06841670 4_2_06841670
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06845510 4_2_06845510
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06844D2F 4_2_06844D2F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06842337 4_2_06842337
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06847758 4_2_06847758
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_06846B58 4_2_06846B58
Sample file is different than original file name gathered from version info
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.226428505.0000000000EF4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStringHandleOnStack.exeF vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.235348955.0000000007860000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.235991881.0000000007B20000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.235991881.0000000007B20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.234534146.0000000007620000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.226833624.00000000015C8000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.235771128.0000000007A30000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.234251673.0000000007540000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.480974353.00000000037E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482623879.0000000004A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.485049464.0000000006A90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.483342885.0000000005A70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.473818106.0000000001074000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStringHandleOnStack.exeF vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.483898535.0000000005CB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHLAWB# 9284880911 pdf.exe
Source: DHLAWB# 9284880911 pdf.exe Binary or memory string: OriginalFilenameStringHandleOnStack.exeF vs DHLAWB# 9284880911 pdf.exe
Uses 32bit PE files
Source: DHLAWB# 9284880911 pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.481253287.000000000383B000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.37f1288.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.37f1288.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b178d1.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b178d1.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.5b80000.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.5b80000.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: DHLAWB# 9284880911 pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HVLIxSqWJDWWZt.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/6@0/1
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_05501466 AdjustTokenPrivileges, 0_2_05501466
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_0550142F AdjustTokenPrivileges, 0_2_0550142F
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA112A AdjustTokenPrivileges, 4_2_05AA112A
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA10F3 AdjustTokenPrivileges, 4_2_05AA10F3
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File created: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exe Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\skdZIBbaoBoYVQ
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_01
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{97a824b7-e666-4a22-b2e3-fb501d91b8df}
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: DHLAWB# 9284880911 pdf.exe ReversingLabs: Detection: 10%
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File read: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe 'C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe'
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: DHLAWB# 9284880911 pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\vCohllGlVk\src\obj\Debug\StringHandleOnStack.pdb source: DHLAWB# 9284880911 pdf.exe
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbI source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.234251673.0000000007540000.00000002.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000004.00000002.483898535.0000000005CB0000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_00E3C1B3 push es; iretd 0_2_00E3C1C0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_02F88808 push ebp; ret 0_2_02F88809
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_02F88804 push ecx; ret 0_2_02F88805
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_031AC2DB push ebp; ret 0_2_031AC2DC
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 0_2_055121A2 push edx; ret 0_2_055121A5
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_00FBC1B3 push es; iretd 4_2_00FBC1C0
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_017474B8 push ebp; ret 4_2_017474B9
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_017474AC push ecx; ret 4_2_017474AD
Source: initial sample Static PE information: section name: .text entropy: 7.92145067275
Source: initial sample Static PE information: section name: .text entropy: 7.92145067275
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File created: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File opened: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 3012, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Window / User API: threadDelayed 412 Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Window / User API: foregroundWindowGot 964 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe TID: 2432 Thread sleep time: -99303s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe TID: 592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe TID: 5400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe TID: 492 Thread sleep time: -240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA0DB6 GetSystemInfo, 4_2_05AA0DB6
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Thread delayed: delay time: 99303 Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.485049464.0000000006A90000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.485049464.0000000006A90000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.485049464.0000000006A90000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.485049464.0000000006A90000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Memory written: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Process created: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Jump to behavior
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.481821618.000000000395A000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477363163.0000000001DA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477363163.0000000001DA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.481906477.000000000396E000.00000004.00000001.sdmp Binary or memory string: Program Manager0
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.481253287.000000000383B000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477363163.0000000001DA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_0173AF9A GetUserNameW, 4_2_0173AF9A
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.480974353.00000000037E1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.480974353.00000000037E1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Yara detected Nanocore RAT
Source: Yara match File source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA2386 bind, 4_2_05AA2386
Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe Code function: 4_2_05AA2353 bind, 4_2_05AA2353
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402352 Sample: DHLAWB# 9284880911 pdf.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 13 other signatures 2->38 7 DHLAWB# 9284880911 pdf.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\HVLIxSqWJDWWZt.exe, PE32 7->20 dropped 22 C:\...\HVLIxSqWJDWWZt.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmpF4A2.tmp, XML 7->24 dropped 26 C:\Users\...\DHLAWB# 9284880911 pdf.exe.log, ASCII 7->26 dropped 40 Injects a PE file into a foreign processes 7->40 11 DHLAWB# 9284880911 pdf.exe 9 7->11         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 30 23.105.131.171, 4040, 49725, 49726 LEASEWEB-USA-NYC-11US United States 11->30 28 C:\Users\user\AppData\Roaming\...\run.dat, data 11->28 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->42 18 conhost.exe 16->18         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.105.131.171
 unknown United States
396362 LEASEWEB-USA-NYC-11US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
23.105.131.171 true
  • Avira URL Cloud: safe
 unknown