Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New_Order.pdf.exe

Overview

General Information

Sample Name:New_Order.pdf.exe
Analysis ID:412129
MD5:6fc2fe3cb8489c06e4cdf490d8d85831
SHA1:5f9a79048125fa59afef8283f697b4c5e20bd919
SHA256:4303c5ace1eaf268fb19a2b2abd471958bf8b9805cfb955f5905493785990fb0
Tags:NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New_Order.pdf.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\New_Order.pdf.exe' MD5: 6FC2FE3CB8489C06E4CDF490D8D85831)
    • schtasks.exe (PID: 6708 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6768 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x13e45d:$x1: NanoCore.ClientPluginHost
    • 0x13e49a:$x2: IClientNetworkHost
    • 0x141fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x13e1c5:$a: NanoCore
      • 0x13e1d5:$a: NanoCore
      • 0x13e409:$a: NanoCore
      • 0x13e41d:$a: NanoCore
      • 0x13e45d:$a: NanoCore
      • 0x13e224:$b: ClientPlugin
      • 0x13e426:$b: ClientPlugin
      • 0x13e466:$b: ClientPlugin
      • 0x13e34b:$c: ProjectData
      • 0x1531df:$c: ProjectData
      • 0x1df3ff:$c: ProjectData
      • 0x13ed52:$d: DESCrypto
      • 0x14671e:$e: KeepAlive
      • 0x14470c:$g: LogClientMessage
      • 0x140907:$i: get_Connected
      • 0x13f088:$j: #=q
      • 0x13f0b8:$j: #=q
      • 0x13f0d4:$j: #=q
      • 0x13f104:$j: #=q
      • 0x13f120:$j: #=q
      • 0x13f13c:$j: #=q
      00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RegSvcs.exe.426ff7c.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x28279:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x282a6:$x2: IClientNetworkHost
      5.2.RegSvcs.exe.426ff7c.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x28279:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29354:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x28293:$s5: IClientLoggingHost
      5.2.RegSvcs.exe.426ff7c.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        5.2.RegSvcs.exe.426b146.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0x145e3:$x1: NanoCore.ClientPluginHost
        • 0x2d0af:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        • 0x14610:$x2: IClientNetworkHost
        • 0x2d0dc:$x2: IClientNetworkHost
        5.2.RegSvcs.exe.426b146.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x145e3:$x2: NanoCore.ClientPluginHost
        • 0x2d0af:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0x156be:$s4: PipeCreated
        • 0x2e18a:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        • 0x145fd:$s5: IClientLoggingHost
        • 0x2d0c9:$s5: IClientLoggingHost
        Click to see the 31 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.pdf.exe' , ParentImage: C:\Users\user\Desktop\New_Order.pdf.exe, ParentProcessId: 6512, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6768

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\ymZXkfeikHno.exeReversingLabs: Detection: 30%
        Multi AV Scanner detection for submitted fileShow sources
        Source: New_Order.pdf.exeVirustotal: Detection: 20%Perma Link
        Source: New_Order.pdf.exeReversingLabs: Detection: 30%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE
        Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.RegSvcs.exe.5ba0000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: New_Order.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: New_Order.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\NvssPfmSRe\src\obj\Debug\DuplicateIdentityOption.pdb source: New_Order.pdf.exe

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: wealth2021.ddns.net
        Source: Malware configuration extractorURLs: 185.140.53.138
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: wealth2021.ddns.net
        Source: global trafficTCP traffic: 192.168.2.6:49718 -> 185.140.53.138:20221
        Source: Joe Sandbox ViewIP Address: 185.140.53.138 185.140.53.138
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: wealth2021.ddns.net
        Source: New_Order.pdf.exeString found in binary or memory: http://checkip.dyndns.org/
        Source: New_Order.pdf.exe, 00000000.00000002.346368888.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/E
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/downloads/
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=1
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/index_ru.html
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/index_ru.htmlk
        Source: New_Order.pdf.exeString found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: New_Order.pdf.exeString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
        Source: RegSvcs.exe, 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: New_Order.pdf.exe
        Source: initial sampleStatic PE information: Filename: New_Order.pdf.exe
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_00487DA20_2_00487DA2
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_00EFC2B00_2_00EFC2B0
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_00EF99680_2_00EF9968
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EE49580_2_04EE4958
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EEAAD00_2_04EEAAD0
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EE847F0_2_04EE847F
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EEAACF0_2_04EEAACF
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_016FE4715_2_016FE471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_016FE4805_2_016FE480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_016FBBD45_2_016FBBD4
        Source: New_Order.pdf.exe, 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.344351580.000000000057C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDuplicateIdentityOption.exeF vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.346845710.0000000002909000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.353842114.000000000B8E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.353842114.000000000B8E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.346368888.0000000002871000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.352591788.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs New_Order.pdf.exe
        Source: New_Order.pdf.exe, 00000000.00000002.353700072.000000000B7F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New_Order.pdf.exe
        Source: New_Order.pdf.exeBinary or memory string: OriginalFilenameDuplicateIdentityOption.exeF vs New_Order.pdf.exe
        Source: New_Order.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.5b50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: New_Order.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: ymZXkfeikHno.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@12/1
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile created: C:\Users\user\AppData\Roaming\ymZXkfeikHno.exeJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\yWUoVXCDbZFLNYsWANKi
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD2AD.tmpJump to behavior
        Source: New_Order.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\New_Order.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
        Source: New_Order.pdf.exeVirustotal: Detection: 20%
        Source: New_Order.pdf.exeReversingLabs: Detection: 30%
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile read: C:\Users\user\Desktop\New_Order.pdf.exe:Zone.IdentifierJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\New_Order.pdf.exe 'C:\Users\user\Desktop\New_Order.pdf.exe'
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: New_Order.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: New_Order.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: New_Order.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\NvssPfmSRe\src\obj\Debug\DuplicateIdentityOption.pdb source: New_Order.pdf.exe

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_00487668 push es; retf 0_2_00487684
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_0048761D push es; retf 0_2_0048764E
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_00487A16 push ss; retf 0_2_00487DA0
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_004875C0 push es; retf 0_2_0048764E
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_004891F0 push cs; iretd 0_2_004891F8
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EEA407 push ecx; ret 0_2_04EEA415
        Source: C:\Users\user\Desktop\New_Order.pdf.exeCode function: 0_2_04EEA400 push ecx; ret 0_2_04EEA415
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90078370976
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90078370976
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile created: C:\Users\user\AppData\Roaming\ymZXkfeikHno.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: New_Order.pdf.exe
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\New_Order.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3004Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6620Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 999Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exe TID: 6516Thread sleep time: -104365s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exe TID: 6540Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\New_Order.pdf.exeThread delayed: delay time: 104365Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: New_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: RegSvcs.exe, 00000005.00000002.607474197.0000000006D90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1026008Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
        Source: RegSvcs.exe, 00000005.00000002.601718242.0000000003424000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RegSvcs.exe, 00000005.00000002.600877344.0000000001CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegSvcs.exe, 00000005.00000002.600877344.0000000001CB0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegSvcs.exe, 00000005.00000002.607045792.00000000063AD000.00000004.00000001.sdmpBinary or memory string: Program Managerk8
        Source: RegSvcs.exe, 00000005.00000002.607137460.000000000652D000.00000004.00000001.sdmpBinary or memory string: Program Manager0
        Source: RegSvcs.exe, 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa'l
        Source: RegSvcs.exe, 00000005.00000002.600877344.0000000001CB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: RegSvcs.exe, 00000005.00000002.600877344.0000000001CB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegSvcs.exe, 00000005.00000002.601718242.0000000003424000.00000004.00000001.sdmpBinary or memory string: Program Manager`
        Source: RegSvcs.exe, 00000005.00000002.607453594.0000000006B0D000.00000004.00000001.sdmpBinary or memory string: Program Manager0OB
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Users\user\Desktop\New_Order.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New_Order.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: New_Order.pdf.exe, 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New_Order.pdf.exe PID: 6512, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6768, type: MEMORY
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426b146.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.426ff7c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.42745a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba4629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New_Order.pdf.exe.392a5c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.9.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection312Masquerading11Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        New_Order.pdf.exe20%VirustotalBrowse
        New_Order.pdf.exe30%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\ymZXkfeikHno.exe30%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        5.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.RegSvcs.exe.5ba0000.9.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://checkip.dyndns.org/0%Avira URL Cloudsafe
        wealth2021.ddns.net0%Avira URL Cloudsafe
        http://servermanager.miixit.org/hits/hit_index.php?k=10%Avira URL Cloudsafe
        http://servermanager.miixit.org/E0%Avira URL Cloudsafe
        http://servermanager.miixit.org/index_ru.html0%Avira URL Cloudsafe
        http://servermanager.miixit.org/report/reporter_index.php?name=0%Avira URL Cloudsafe
        http://servermanager.miixit.org/0%Avira URL Cloudsafe
        http://servermanager.miixit.org/index_ru.htmlk0%Avira URL Cloudsafe
        185.140.53.1380%Avira URL Cloudsafe
        http://servermanager.miixit.org/downloads/0%Avira URL Cloudsafe
        http://servermanager.miixit.org/hits/hit_index.php?k=0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        wealth2021.ddns.net
        		185.140.53.138
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          wealth2021.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown
          185.140.53.138true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://checkip.dyndns.org/New_Order.pdf.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://servermanager.miixit.org/hits/hit_index.php?k=1New_Order.pdf.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPCNew_Order.pdf.exefalse
            		high
            http://servermanager.miixit.org/ENew_Order.pdf.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://servermanager.miixit.org/index_ru.htmlNew_Order.pdf.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://servermanager.miixit.org/report/reporter_index.php?name=New_Order.pdf.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://servermanager.miixit.org/New_Order.pdf.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew_Order.pdf.exe, 00000000.00000002.346368888.0000000002871000.00000004.00000001.sdmpfalse
              		high
              http://servermanager.miixit.org/index_ru.htmlkNew_Order.pdf.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssNew_Order.pdf.exe, 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmpfalse
                		high
                http://servermanager.miixit.org/downloads/New_Order.pdf.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://servermanager.miixit.org/hits/hit_index.php?k=New_Order.pdf.exefalse
                • Avira URL Cloud: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                185.140.53.138
                		wealth2021.ddns.netSweden
                		209623DAVID_CRAIGGGtrue

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:412129
                Start date:12.05.2021
                Start time:12:28:37
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 7m 53s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:New_Order.pdf.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:26
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@6/5@12/1
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 42
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 13.88.21.125, 104.42.151.234, 92.122.145.220, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.143.16, 2.20.142.209, 52.155.217.156, 20.54.26.129, 184.30.20.56, 20.50.102.62
                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:29:32API Interceptor2x Sleep call for process: New_Order.pdf.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                185.140.53.138New_Quotation_Request.pdf.exeGet hashmaliciousBrowse
                  QUOTATION_ORDER.pdf.exeGet hashmaliciousBrowse
                    URGENTPURCHASEORDER.pdf.exeGet hashmaliciousBrowse
                      NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                        NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                          Quotation_Request.pdf.exeGet hashmaliciousBrowse
                            URGENT_ORDER.pdf.exeGet hashmaliciousBrowse
                              Purchase_Order.pdf.exeGet hashmaliciousBrowse
                                1PH37n4Gva.exeGet hashmaliciousBrowse
                                  35dbds3GQG.exeGet hashmaliciousBrowse
                                    QXJGE2LOdP.exeGet hashmaliciousBrowse
                                      O4m3hDFNbh.exeGet hashmaliciousBrowse
                                        nrv_remittance#U007eorder#U007epayment.exeGet hashmaliciousBrowse
                                          NEW ORDER REQUEST_EXPORT005JKL DOC.exeGet hashmaliciousBrowse
                                            WIRE COPY ORDER T104484_PP.exeGet hashmaliciousBrowse
                                              71AXBkD1wA.exeGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                wealth2021.ddns.netNew_Quotation_Request.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                QUOTATION_ORDER.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                URGENTPURCHASEORDER.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                Quotation_Request.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                URGENT_ORDER.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138
                                                Purchase_Order.pdf.exeGet hashmaliciousBrowse
                                                • 185.140.53.138

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DAVID_CRAIGGGPaymentConfirmation.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                Document - Banca Transilvania .exeGet hashmaliciousBrowse
                                                • 185.140.53.73
                                                ATTACHED DRAWING AND SPECIFICATION.jarGet hashmaliciousBrowse
                                                • 185.244.30.4
                                                ATTACHED DRAWING AND SPECIFICATION.jarGet hashmaliciousBrowse
                                                • 185.244.30.4
                                                PO.98504_samples.exeGet hashmaliciousBrowse
                                                • 185.140.53.69
                                                cotizaci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                                • 185.140.53.137
                                                Order Sheet.exeGet hashmaliciousBrowse
                                                • 185.140.53.139
                                                EU_SANCTION_LETTER-05052021.exeGet hashmaliciousBrowse
                                                • 185.140.53.230
                                                purchase order 0234.exeGet hashmaliciousBrowse
                                                • 185.140.53.143
                                                ORDER-210067.xls.exeGet hashmaliciousBrowse
                                                • 185.165.153.116
                                                03_pgr.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                02_tmp.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                03_pgr.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                12_tmp.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                13_pgr.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                02_tmp.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                12_pgr.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                11_tmp.exeGet hashmaliciousBrowse
                                                • 185.140.53.71
                                                doc_07621DERG7011220213300.exeGet hashmaliciousBrowse
                                                • 185.140.53.230
                                                PaymentNotification.vbsGet hashmaliciousBrowse
                                                • 185.140.53.71

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_Order.pdf.exe.log
                                                Process:C:\Users\user\Desktop\New_Order.pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1314
                                                Entropy (8bit):5.350128552078965
                                                Encrypted:false
                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp
                                                Process:C:\Users\user\Desktop\New_Order.pdf.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1657
                                                Entropy (8bit):5.161216213355059
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3JOtn:cbha7JlNQV/rydbz9I3YODOLNdq3jo
                                                MD5:E182F866545F93044CFDDED5B8A8F4A1
                                                SHA1:608F1CDEC414EE0AEC750421F8DD0AEDCF36B630
                                                SHA-256:F2AFD190498B17333AD6FEC899CDCF75E74AA7AA3B7E91DB07D0F605023AA032
                                                SHA-512:E7F50851A4EE3B0D813E8FD5173984A4D83F86D4F8C26CC38E8D347CC99FC6B7D5FFE7F198ED59E0E09A3A8308801561DFA0A908B7BAB2787E681B56940BE42D
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:International EBCDIC text, with NEL line terminators
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):2.75
                                                Encrypted:false
                                                SSDEEP:3:gn:gn
                                                MD5:566AA7EB664519E41C2038BBCFAE4DD7
                                                SHA1:6BA50236D65CF7077527FDD674A5C4D3F8C3BD38
                                                SHA-256:1FE17F82472DE6F047E2C3533C32359D6016B88CC2A4D6932F73C4CCF17463DE
                                                SHA-512:625321A59D7A0A0E28083AE0641E41933E735CF5DB354A62EA2703A785A09A1C4F29852A2F1CA710254E7CBE52F2748F53946E2BBE84A0D83170ACFC941A4B6C
                                                Malicious:true
                                                Reputation:low
                                                Preview: .iH|..H
                                                C:\Users\user\AppData\Roaming\ymZXkfeikHno.exe
                                                Process:C:\Users\user\Desktop\New_Order.pdf.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):1032192
                                                Entropy (8bit):7.881923303077381
                                                Encrypted:false
                                                SSDEEP:24576:AZbI6jw9IbH9yxsuqsng6HeCAMaDUX9ofPoD+7Id:yESByxszsgCec+k
                                                MD5:6FC2FE3CB8489C06E4CDF490D8D85831
                                                SHA1:5F9A79048125FA59AFEF8283F697B4C5E20BD919
                                                SHA-256:4303C5ACE1EAF268FB19A2B2ABD471958BF8B9805CFB955F5905493785990FB0
                                                SHA-512:A8246D8AA8E0C9B661B58C959863AD7E42A63C7C8B6D9AA730A233CCCCEF67B078F6399EA2F17CD848E10E7EB8784273CEA3B4F719FF4DBAA13902CA4E55EC9D
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 30%
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.`..............P......8.......... ........@.. ....................... ............@.................................p...O........4..........................8................................................ ............... ..H............text....... ...................... ..`.rsrc....4.......6..................@..@.reloc..............................@..B........................H.......xr..0............................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                C:\Users\user\AppData\Roaming\ymZXkfeikHno.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\New_Order.pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.881923303077381
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:New_Order.pdf.exe
                                                File size:1032192
                                                MD5:6fc2fe3cb8489c06e4cdf490d8d85831
                                                SHA1:5f9a79048125fa59afef8283f697b4c5e20bd919
                                                SHA256:4303c5ace1eaf268fb19a2b2abd471958bf8b9805cfb955f5905493785990fb0
                                                SHA512:a8246d8aa8e0c9b661b58c959863ad7e42a63c7c8b6d9aa730a233ccccef67b078f6399ea2f17cd848e10e7eb8784273cea3b4f719ff4dbaa13902ca4e55ec9d
                                                SSDEEP:24576:AZbI6jw9IbH9yxsuqsng6HeCAMaDUX9ofPoD+7Id:yESByxszsgCec+k
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.`..............P......8........... ........@.. ....................... ............@................................

                                                File Icon

                                                Icon Hash:f2d2e9fcc4ead362

                                                Static PE Info

                                                General

                                                Entrypoint:0x4fa4c2
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x609B3BF1 [Wed May 12 02:22:41 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xfa4700x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000x34d4.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xfa3380x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xf84c80xf8600False0.915248922685data7.90078370976IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xfc0000x34d40x3600False0.361689814815data5.25530670764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x1000000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xfc1000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                RT_GROUP_ICON0xfe6b80x14data
                                                RT_VERSION0xfe6dc0x37cdata
                                                RT_MANIFEST0xfea680xa65XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2013
                                                Assembly Version3.0.0.0
                                                InternalNameDuplicateIdentityOption.exe
                                                FileVersion3.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameServerManager_Core
                                                ProductVersion3.0.0.0
                                                FileDescriptionServerManager_Core
                                                OriginalFilenameDuplicateIdentityOption.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 12, 2021 12:29:39.429079056 CEST4971820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:39.478091002 CEST2022149718185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:39.996587038 CEST4971820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:40.045243025 CEST2022149718185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:40.605967045 CEST4971820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:40.654289961 CEST2022149718185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:44.756279945 CEST4972220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:44.804831982 CEST2022149722185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:45.309467077 CEST4972220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:45.357950926 CEST2022149722185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:45.872610092 CEST4972220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:45.923367023 CEST2022149722185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:50.000473022 CEST4972420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:50.049169064 CEST2022149724185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:50.559952974 CEST4972420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:50.608575106 CEST2022149724185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:51.122459888 CEST4972420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:51.171308994 CEST2022149724185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:55.325598955 CEST4972720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:55.373951912 CEST2022149727185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:55.888457060 CEST4972720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:55.936892033 CEST2022149727185.140.53.138192.168.2.6
                                                May 12, 2021 12:29:56.451064110 CEST4972720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:29:56.499666929 CEST2022149727185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:00.592645884 CEST4973020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:00.642551899 CEST2022149730185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:01.170128107 CEST4973020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:01.218348026 CEST2022149730185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:01.857737064 CEST4973020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:01.906136990 CEST2022149730185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:06.058444977 CEST4973220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:06.109517097 CEST2022149732185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:06.670558929 CEST4973220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:06.719305992 CEST2022149732185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:07.358145952 CEST4973220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:07.407896996 CEST2022149732185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:11.435981035 CEST4973320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:11.486155033 CEST2022149733185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:11.999231100 CEST4973320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:12.048512936 CEST2022149733185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:12.561645031 CEST4973320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:12.611933947 CEST2022149733185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:16.730633974 CEST4973520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:16.779143095 CEST2022149735185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:17.280846119 CEST4973520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:17.329197884 CEST2022149735185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:17.984014988 CEST4973520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:18.032383919 CEST2022149735185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:22.054728031 CEST4974520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:22.103008032 CEST2022149745185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:22.609457970 CEST4974520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:22.657958031 CEST2022149745185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:23.172010899 CEST4974520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:23.220180988 CEST2022149745185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:27.327581882 CEST4974820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:27.376117945 CEST2022149748185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:27.891041040 CEST4974820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:27.939513922 CEST2022149748185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:28.453728914 CEST4974820221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:28.502118111 CEST2022149748185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:32.578737020 CEST4975220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:32.627239943 CEST2022149752185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:33.141525030 CEST4975220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:33.190002918 CEST2022149752185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:33.704102039 CEST4975220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:33.754971027 CEST2022149752185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:37.924879074 CEST4975920221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:37.973246098 CEST2022149759185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:38.485635996 CEST4975920221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:38.534193993 CEST2022149759185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:39.048196077 CEST4975920221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:39.145507097 CEST2022149759185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:43.159349918 CEST4976020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:43.209573030 CEST2022149760185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:43.720556974 CEST4976020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:43.771229982 CEST2022149760185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:44.283030033 CEST4976020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:44.332588911 CEST2022149760185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:48.348090887 CEST4976120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:48.396384001 CEST2022149761185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:48.908425093 CEST4976120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:48.956991911 CEST2022149761185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:49.471020937 CEST4976120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:49.520819902 CEST2022149761185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:53.540735006 CEST4976220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:53.590568066 CEST2022149762185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:54.096376896 CEST4976220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:54.144676924 CEST2022149762185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:54.659986019 CEST4976220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:54.708338022 CEST2022149762185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:58.815865993 CEST4976520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:58.864581108 CEST2022149765185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:59.378103971 CEST4976520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:59.426820040 CEST2022149765185.140.53.138192.168.2.6
                                                May 12, 2021 12:30:59.940519094 CEST4976520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:30:59.989356995 CEST2022149765185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:04.093189001 CEST4976720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:04.141330004 CEST2022149767185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:04.644081116 CEST4976720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:04.693713903 CEST2022149767185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:05.206625938 CEST4976720221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:05.256577969 CEST2022149767185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:09.343466043 CEST4977020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:09.391796112 CEST2022149770185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:09.894494057 CEST4977020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:09.942806959 CEST2022149770185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:10.453645945 CEST4977020221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:10.502042055 CEST2022149770185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:14.514848948 CEST4977120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:14.563254118 CEST2022149771185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:15.076762915 CEST4977120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:15.125128031 CEST2022149771185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:15.631580114 CEST4977120221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:15.681210995 CEST2022149771185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:19.693536043 CEST4977220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:19.746761084 CEST2022149772185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:20.254174948 CEST4977220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:20.302656889 CEST2022149772185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:20.816535950 CEST4977220221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:20.864928961 CEST2022149772185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:24.881042004 CEST4977320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:24.929415941 CEST2022149773185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:25.442012072 CEST4977320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:25.490387917 CEST2022149773185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:26.004513979 CEST4977320221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:26.053064108 CEST2022149773185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:30.150844097 CEST4977420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:30.199249029 CEST2022149774185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:30.707911015 CEST4977420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:30.756226063 CEST2022149774185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:31.270565987 CEST4977420221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:31.321008921 CEST2022149774185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:35.438254118 CEST4977520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:35.486583948 CEST2022149775185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:35.989571095 CEST4977520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:36.038077116 CEST2022149775185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:36.552244902 CEST4977520221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:36.600672007 CEST2022149775185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:40.669079065 CEST4977620221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:40.717629910 CEST2022149776185.140.53.138192.168.2.6
                                                May 12, 2021 12:31:41.224402905 CEST4977620221192.168.2.6185.140.53.138
                                                May 12, 2021 12:31:41.272840977 CEST2022149776185.140.53.138192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 12, 2021 12:29:20.895411015 CEST5772553192.168.2.68.8.8.8
                                                May 12, 2021 12:29:20.955219030 CEST53577258.8.8.8192.168.2.6
                                                May 12, 2021 12:29:21.314862013 CEST4928353192.168.2.68.8.8.8
                                                May 12, 2021 12:29:21.378123999 CEST53492838.8.8.8192.168.2.6
                                                May 12, 2021 12:29:22.468359947 CEST5837753192.168.2.68.8.8.8
                                                May 12, 2021 12:29:22.527188063 CEST53583778.8.8.8192.168.2.6
                                                May 12, 2021 12:29:24.156375885 CEST5507453192.168.2.68.8.8.8
                                                May 12, 2021 12:29:24.205110073 CEST53550748.8.8.8192.168.2.6
                                                May 12, 2021 12:29:24.356827974 CEST5451353192.168.2.68.8.8.8
                                                May 12, 2021 12:29:24.429089069 CEST53545138.8.8.8192.168.2.6
                                                May 12, 2021 12:29:25.301359892 CEST6204453192.168.2.68.8.8.8
                                                May 12, 2021 12:29:25.352838039 CEST53620448.8.8.8192.168.2.6
                                                May 12, 2021 12:29:26.733727932 CEST6379153192.168.2.68.8.8.8
                                                May 12, 2021 12:29:26.785280943 CEST53637918.8.8.8192.168.2.6
                                                May 12, 2021 12:29:28.004688025 CEST6426753192.168.2.68.8.8.8
                                                May 12, 2021 12:29:28.057955027 CEST53642678.8.8.8192.168.2.6
                                                May 12, 2021 12:29:29.208899021 CEST4944853192.168.2.68.8.8.8
                                                May 12, 2021 12:29:29.257678032 CEST53494488.8.8.8192.168.2.6
                                                May 12, 2021 12:29:30.346888065 CEST6034253192.168.2.68.8.8.8
                                                May 12, 2021 12:29:30.397075891 CEST53603428.8.8.8192.168.2.6
                                                May 12, 2021 12:29:32.005417109 CEST6134653192.168.2.68.8.8.8
                                                May 12, 2021 12:29:32.054203033 CEST53613468.8.8.8192.168.2.6
                                                May 12, 2021 12:29:33.897841930 CEST5177453192.168.2.68.8.8.8
                                                May 12, 2021 12:29:33.946604013 CEST53517748.8.8.8192.168.2.6
                                                May 12, 2021 12:29:35.555716991 CEST5602353192.168.2.68.8.8.8
                                                May 12, 2021 12:29:35.607325077 CEST53560238.8.8.8192.168.2.6
                                                May 12, 2021 12:29:37.197730064 CEST5838453192.168.2.68.8.8.8
                                                May 12, 2021 12:29:37.246781111 CEST53583848.8.8.8192.168.2.6
                                                May 12, 2021 12:29:38.486478090 CEST6026153192.168.2.68.8.8.8
                                                May 12, 2021 12:29:38.537022114 CEST53602618.8.8.8192.168.2.6
                                                May 12, 2021 12:29:39.703520060 CEST5606153192.168.2.68.8.8.8
                                                May 12, 2021 12:29:39.757613897 CEST53560618.8.8.8192.168.2.6
                                                May 12, 2021 12:29:40.899111032 CEST5833653192.168.2.68.8.8.8
                                                May 12, 2021 12:29:40.947866917 CEST53583368.8.8.8192.168.2.6
                                                May 12, 2021 12:29:42.799803972 CEST5378153192.168.2.68.8.8.8
                                                May 12, 2021 12:29:42.848736048 CEST53537818.8.8.8192.168.2.6
                                                May 12, 2021 12:29:48.985002995 CEST5406453192.168.2.68.8.8.8
                                                May 12, 2021 12:29:49.055519104 CEST53540648.8.8.8192.168.2.6
                                                May 12, 2021 12:29:50.126116991 CEST5281153192.168.2.68.8.8.8
                                                May 12, 2021 12:29:50.175098896 CEST53528118.8.8.8192.168.2.6
                                                May 12, 2021 12:29:51.193049908 CEST5529953192.168.2.68.8.8.8
                                                May 12, 2021 12:29:51.241868973 CEST53552998.8.8.8192.168.2.6
                                                May 12, 2021 12:29:55.262309074 CEST6374553192.168.2.68.8.8.8
                                                May 12, 2021 12:29:55.323436975 CEST53637458.8.8.8192.168.2.6
                                                May 12, 2021 12:29:56.930059910 CEST5005553192.168.2.68.8.8.8
                                                May 12, 2021 12:29:56.992404938 CEST53500558.8.8.8192.168.2.6
                                                May 12, 2021 12:30:00.518769979 CEST6137453192.168.2.68.8.8.8
                                                May 12, 2021 12:30:00.580630064 CEST53613748.8.8.8192.168.2.6
                                                May 12, 2021 12:30:02.136265039 CEST5033953192.168.2.68.8.8.8
                                                May 12, 2021 12:30:02.198227882 CEST53503398.8.8.8192.168.2.6
                                                May 12, 2021 12:30:05.987323999 CEST6330753192.168.2.68.8.8.8
                                                May 12, 2021 12:30:06.049637079 CEST53633078.8.8.8192.168.2.6
                                                May 12, 2021 12:30:16.433032990 CEST4969453192.168.2.68.8.8.8
                                                May 12, 2021 12:30:16.484332085 CEST53496948.8.8.8192.168.2.6
                                                May 12, 2021 12:30:16.744083881 CEST5498253192.168.2.68.8.8.8
                                                May 12, 2021 12:30:16.848860025 CEST53549828.8.8.8192.168.2.6
                                                May 12, 2021 12:30:17.776057005 CEST5001053192.168.2.68.8.8.8
                                                May 12, 2021 12:30:17.833656073 CEST53500108.8.8.8192.168.2.6
                                                May 12, 2021 12:30:18.401295900 CEST6371853192.168.2.68.8.8.8
                                                May 12, 2021 12:30:18.555679083 CEST53637188.8.8.8192.168.2.6
                                                May 12, 2021 12:30:19.086595058 CEST6211653192.168.2.68.8.8.8
                                                May 12, 2021 12:30:19.091703892 CEST6381653192.168.2.68.8.8.8
                                                May 12, 2021 12:30:19.149041891 CEST53638168.8.8.8192.168.2.6
                                                May 12, 2021 12:30:19.159249067 CEST53621168.8.8.8192.168.2.6
                                                May 12, 2021 12:30:19.749164104 CEST5501453192.168.2.68.8.8.8
                                                May 12, 2021 12:30:19.809854031 CEST53550148.8.8.8192.168.2.6
                                                May 12, 2021 12:30:20.380072117 CEST6220853192.168.2.68.8.8.8
                                                May 12, 2021 12:30:20.439821005 CEST53622088.8.8.8192.168.2.6
                                                May 12, 2021 12:30:20.908163071 CEST5757453192.168.2.68.8.8.8
                                                May 12, 2021 12:30:20.956857920 CEST53575748.8.8.8192.168.2.6
                                                May 12, 2021 12:30:21.894449949 CEST5181853192.168.2.68.8.8.8
                                                May 12, 2021 12:30:21.952825069 CEST53518188.8.8.8192.168.2.6
                                                May 12, 2021 12:30:22.998903036 CEST5662853192.168.2.68.8.8.8
                                                May 12, 2021 12:30:23.056011915 CEST53566288.8.8.8192.168.2.6
                                                May 12, 2021 12:30:23.572267056 CEST6077853192.168.2.68.8.8.8
                                                May 12, 2021 12:30:23.629511118 CEST53607788.8.8.8192.168.2.6
                                                May 12, 2021 12:30:27.261626959 CEST5379953192.168.2.68.8.8.8
                                                May 12, 2021 12:30:27.326591969 CEST53537998.8.8.8192.168.2.6
                                                May 12, 2021 12:30:31.062812090 CEST5468353192.168.2.68.8.8.8
                                                May 12, 2021 12:30:31.119915009 CEST53546838.8.8.8192.168.2.6
                                                May 12, 2021 12:30:32.520057917 CEST5932953192.168.2.68.8.8.8
                                                May 12, 2021 12:30:32.550263882 CEST6402153192.168.2.68.8.8.8
                                                May 12, 2021 12:30:32.577332973 CEST53593298.8.8.8192.168.2.6
                                                May 12, 2021 12:30:32.616899014 CEST53640218.8.8.8192.168.2.6
                                                May 12, 2021 12:30:33.924038887 CEST5612953192.168.2.68.8.8.8
                                                May 12, 2021 12:30:33.985575914 CEST53561298.8.8.8192.168.2.6
                                                May 12, 2021 12:30:37.859572887 CEST5817753192.168.2.68.8.8.8
                                                May 12, 2021 12:30:37.923305035 CEST53581778.8.8.8192.168.2.6
                                                May 12, 2021 12:30:58.750312090 CEST5070053192.168.2.68.8.8.8
                                                May 12, 2021 12:30:58.814620018 CEST53507008.8.8.8192.168.2.6
                                                May 12, 2021 12:30:58.968286037 CEST5406953192.168.2.68.8.8.8
                                                May 12, 2021 12:30:59.199368000 CEST53540698.8.8.8192.168.2.6
                                                May 12, 2021 12:31:04.034439087 CEST6117853192.168.2.68.8.8.8
                                                May 12, 2021 12:31:04.091659069 CEST53611788.8.8.8192.168.2.6
                                                May 12, 2021 12:31:05.648231983 CEST5701753192.168.2.68.8.8.8
                                                May 12, 2021 12:31:05.715780020 CEST53570178.8.8.8192.168.2.6
                                                May 12, 2021 12:31:07.765379906 CEST5632753192.168.2.68.8.8.8
                                                May 12, 2021 12:31:07.827125072 CEST53563278.8.8.8192.168.2.6
                                                May 12, 2021 12:31:09.276520014 CEST5024353192.168.2.68.8.8.8
                                                May 12, 2021 12:31:09.341092110 CEST53502438.8.8.8192.168.2.6
                                                May 12, 2021 12:31:30.097410917 CEST6205553192.168.2.68.8.8.8
                                                May 12, 2021 12:31:30.146094084 CEST53620558.8.8.8192.168.2.6
                                                May 12, 2021 12:31:35.338850975 CEST6124953192.168.2.68.8.8.8
                                                May 12, 2021 12:31:35.399624109 CEST53612498.8.8.8192.168.2.6
                                                May 12, 2021 12:31:40.615663052 CEST6525253192.168.2.68.8.8.8
                                                May 12, 2021 12:31:40.668431997 CEST53652528.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                May 12, 2021 12:29:55.262309074 CEST192.168.2.68.8.8.80x1922Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:00.518769979 CEST192.168.2.68.8.8.80xd225Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:05.987323999 CEST192.168.2.68.8.8.80x4229Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:27.261626959 CEST192.168.2.68.8.8.80x67bdStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:32.520057917 CEST192.168.2.68.8.8.80xf22fStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:37.859572887 CEST192.168.2.68.8.8.80x89b9Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:30:58.750312090 CEST192.168.2.68.8.8.80x2567Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:31:04.034439087 CEST192.168.2.68.8.8.80x3c5cStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:31:09.276520014 CEST192.168.2.68.8.8.80x70b2Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:31:30.097410917 CEST192.168.2.68.8.8.80xdfe7Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:31:35.338850975 CEST192.168.2.68.8.8.80x682Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                                May 12, 2021 12:31:40.615663052 CEST192.168.2.68.8.8.80xa394Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                May 12, 2021 12:29:55.323436975 CEST8.8.8.8192.168.2.60x1922No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:00.580630064 CEST8.8.8.8192.168.2.60xd225No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:06.049637079 CEST8.8.8.8192.168.2.60x4229No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:27.326591969 CEST8.8.8.8192.168.2.60x67bdNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:32.577332973 CEST8.8.8.8192.168.2.60xf22fNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:37.923305035 CEST8.8.8.8192.168.2.60x89b9No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:30:58.814620018 CEST8.8.8.8192.168.2.60x2567No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:31:04.091659069 CEST8.8.8.8192.168.2.60x3c5cNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:31:09.341092110 CEST8.8.8.8192.168.2.60x70b2No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:31:30.146094084 CEST8.8.8.8192.168.2.60xdfe7No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:31:35.399624109 CEST8.8.8.8192.168.2.60x682No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                                May 12, 2021 12:31:40.668431997 CEST8.8.8.8192.168.2.60xa394No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: New_Order.pdf.exe PID: 6512 Parent PID: 1068

                                                General

                                                Start time:12:29:30
                                                Start date:12/05/2021
                                                Path:C:\Users\user\Desktop\New_Order.pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\New_Order.pdf.exe'
                                                Imagebase:0x480000
                                                File size:1032192 bytes
                                                MD5 hash:6FC2FE3CB8489C06E4CDF490D8D85831
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.348225167.00000000039C6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.347888838.0000000003871000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.346539912.00000000028BC000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: schtasks.exe PID: 6708 Parent PID: 6512

                                                General

                                                Start time:12:29:35
                                                Start date:12/05/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ymZXkfeikHno' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp'
                                                Imagebase:0x360000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 6724 Parent PID: 6708

                                                General

                                                Start time:12:29:35
                                                Start date:12/05/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: RegSvcs.exe PID: 6768 Parent PID: 6512

                                                General

                                                Start time:12:29:35
                                                Start date:12/05/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0xfb0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.601093794.0000000003221000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.606732011.0000000005B50000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.599669411.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.604349712.0000000004269000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.606793960.0000000005BA0000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: New_Order.pdf.exe PID: 6512 Parent PID: 1068 New_Order.pdf.exeCOMMON

                                                  Executed Functions

                                                  Function 04EE4958, Relevance: .6, Instructions: 640COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d1abfa238b5cb908eb81025d69815ed7b708ed26d1b0cdb514b719506c145cc
                                                  • Instruction ID: f67150707c152ac301edcea7df626e87d6ff0effe671e54065cd252cf6c9621e
                                                  • Opcode Fuzzy Hash: 8d1abfa238b5cb908eb81025d69815ed7b708ed26d1b0cdb514b719506c145cc
                                                  • Instruction Fuzzy Hash: 2D62D534A10618CFDB54EF74C994AADB7B1FF89304F2196A9D50AAB361DB30AD81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04EE847F, Relevance: .6, Instructions: 628COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c64cc7e8b996aefd10575b27181daff15e4ea4aba96d404a27f5a4d95382544
                                                  • Instruction ID: b7de042a490c0cde16e5d19e2177418d1986e507f58be2218fd80edfe9f734f7
                                                  • Opcode Fuzzy Hash: 0c64cc7e8b996aefd10575b27181daff15e4ea4aba96d404a27f5a4d95382544
                                                  • Instruction Fuzzy Hash: BA62D434A50618CFDB54EF74C994AADB7B1FF89304F2196A9D50AAB361DB30AD81CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04EEAACF, Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f69b938dabc9c70afa4e78546b59cb97814ccf4af0ade5774b6ee67d9e02c7e0
                                                  • Instruction ID: 25171b2a92ca57ef061b58012f25d84f92038505b2f7529efee89ac9bd5b16df
                                                  • Opcode Fuzzy Hash: f69b938dabc9c70afa4e78546b59cb97814ccf4af0ade5774b6ee67d9e02c7e0
                                                  • Instruction Fuzzy Hash: 0431D6B1D006099BDB08DFABD8406EEFBF7AF89304F04D1299918BB254EB755946CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04EEAAD0, Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e50ba7a4c970f9ae18ea9e4391f08c1d82472b256e9fc4c2af5a590fb288b021
                                                  • Instruction ID: dbd6b6671017b5dae9d6b1528e2919ed21b8cea333e3246c5c7b5e7727b499a7
                                                  • Opcode Fuzzy Hash: e50ba7a4c970f9ae18ea9e4391f08c1d82472b256e9fc4c2af5a590fb288b021
                                                  • Instruction Fuzzy Hash: 6231D6B1D006099BDB08DFABC8406EEFBF7AF89304F04D1299918BB254EB755946CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF6B90, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00EF6C00
                                                  • GetCurrentThread.KERNEL32 ref: 00EF6C3D
                                                  • GetCurrentProcess.KERNEL32 ref: 00EF6C7A
                                                  • GetCurrentThreadId.KERNEL32 ref: 00EF6CD3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 696c5a83b1ec4d13217aaf5b132446603f8b6c4df4c3416e7341d0689d2ea7cb
                                                  • Instruction ID: b56ad8aee47db2bd105c760dea90b847776390f1a58180b88a5d94e60a0664f6
                                                  • Opcode Fuzzy Hash: 696c5a83b1ec4d13217aaf5b132446603f8b6c4df4c3416e7341d0689d2ea7cb
                                                  • Instruction Fuzzy Hash: 405157B89007488FDB14CFA9D648BAEBBF0FF88304F208459E559B7250D774A884CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF6BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00EF6C00
                                                  • GetCurrentThread.KERNEL32 ref: 00EF6C3D
                                                  • GetCurrentProcess.KERNEL32 ref: 00EF6C7A
                                                  • GetCurrentThreadId.KERNEL32 ref: 00EF6CD3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 8c19de62e1c29853bdb95435a9c39752817cafc06905f57df994fff7951e5e92
                                                  • Instruction ID: 82d8f1b03c10f8cc275ebd5e2fbdb39e0c42a676ec6f851232b19ad02592388f
                                                  • Opcode Fuzzy Hash: 8c19de62e1c29853bdb95435a9c39752817cafc06905f57df994fff7951e5e92
                                                  • Instruction Fuzzy Hash: 215156B89006488FDB14CFAAD6487EEBBF0FF88318F208459E559B7250D774A884CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFBBB8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00EFBE0E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 5cf86fa1bb39305de1c7e1dedadc60a846a82060cc036e4d1c639c1fa587ce9e
                                                  • Instruction ID: bb6d6a6dcf9b9fbf33f4865aa18f53eb5443082b3527ff9405fccbe910567e47
                                                  • Opcode Fuzzy Hash: 5cf86fa1bb39305de1c7e1dedadc60a846a82060cc036e4d1c639c1fa587ce9e
                                                  • Instruction Fuzzy Hash: 0F713470A00B098FD724CF69C04576ABBF1FF88308F108A2DD58AEBA40DB75E9458F91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFDC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EFDD8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: abc7adc10517cd99feed70af856d79c07c4647977c6c23f3c23a7b07ba21beec
                                                  • Instruction ID: 1c339dddfb3477ffe42517f6c8597a671146c0ce4ee72a339147868a7d23bf63
                                                  • Opcode Fuzzy Hash: abc7adc10517cd99feed70af856d79c07c4647977c6c23f3c23a7b07ba21beec
                                                  • Instruction Fuzzy Hash: 8651D3B1D043099FDB14CF99C884ADEBFB6BF48314F24812AE919BB210D7759945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFDC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EFDD8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 869d6ad6d5fe65c99a304ac3505b4aafc61aae4c9fdf844231e4574f37f865ca
                                                  • Instruction ID: fb02238f427eab4594d2f4d7c4507c4df1645b8b169fe0346cc3b2a78fba8cc1
                                                  • Opcode Fuzzy Hash: 869d6ad6d5fe65c99a304ac3505b4aafc61aae4c9fdf844231e4574f37f865ca
                                                  • Instruction Fuzzy Hash: 2B41B1B1D003099FDB14CF99C884ADEBFB6BF48314F24822AE919AB250D7759985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF6D51, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EF6E4F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 9126dacd2e971fa2b9ff9db2a54403531aea720f7f7036d5103638004b427a45
                                                  • Instruction ID: d7330f5f89411ecfc9762d5345b1afe9929e662b5fd0e5013354d5d9849862d0
                                                  • Opcode Fuzzy Hash: 9126dacd2e971fa2b9ff9db2a54403531aea720f7f7036d5103638004b427a45
                                                  • Instruction Fuzzy Hash: C841597AA00259AFCB01CF99D844AEEBFF5FF88310F15845AEA54A7210C3759954DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04EE1E9C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 04EE3F49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 40935774600bf22a79a0d67ade3844c7ad9d72080e979b972a53132f37f03df9
                                                  • Instruction ID: 3acd7347aa1003849a4099145fa5fd90f39d0be6459c61532e1c17861f238b28
                                                  • Opcode Fuzzy Hash: 40935774600bf22a79a0d67ade3844c7ad9d72080e979b972a53132f37f03df9
                                                  • Instruction Fuzzy Hash: E941F5B5C00718CBDB24DF9AC884BDEBBB5BF49308F208069D909AB251DB756949CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04EE0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EE0D91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.352679542.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: a11c55c67686f0baf1165a96eae5ca4c759695aa2c52682e4e49516fee07affb
                                                  • Instruction ID: 41326b15125ecbc0ad2d8275832fc9031c1b50a09a03eda825271cd30d3910ee
                                                  • Opcode Fuzzy Hash: a11c55c67686f0baf1165a96eae5ca4c759695aa2c52682e4e49516fee07affb
                                                  • Instruction Fuzzy Hash: 30413AB8A00215CFDB14CF99C448AAABBF5FF88318F14C859D519AB321D774E845CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF6DC0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EF6E4F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 997e50a31c749e49dd06ec6e177b20d82bf5f88258a27f33ab6c5eeab25e9526
                                                  • Instruction ID: 7d0f66ea21097a977a857b11a0b0c33169b11090553aab6f443fe5b16075bd04
                                                  • Opcode Fuzzy Hash: 997e50a31c749e49dd06ec6e177b20d82bf5f88258a27f33ab6c5eeab25e9526
                                                  • Instruction Fuzzy Hash: AE2103B5900208AFDB00CFAAD984AEEBBF4FF48324F15801AE914A7210D774A954CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF6DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EF6E4F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: c38feee7938ab665f144cb80c47863aece64f1b5fe10cb4d995a06edeb783838
                                                  • Instruction ID: 84e2104deb5fe66fd9e6e53cb12e587bb8a58174bf5db706282c82843470b41e
                                                  • Opcode Fuzzy Hash: c38feee7938ab665f144cb80c47863aece64f1b5fe10cb4d995a06edeb783838
                                                  • Instruction Fuzzy Hash: C421F5B5D002089FDB10CF9AD484ADEBBF4FB48324F14841AE914B7310D774A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFB0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EFBE89,00000800,00000000,00000000), ref: 00EFC09A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: f5b7ed92b53848253d2f0cb019ee163a7a203ae4aeb91b47e5bfd26f83663bbd
                                                  • Instruction ID: bf1f0b513b4b8e63d82ae40c74846635d8165a28c64da529bb14bdeeca383995
                                                  • Opcode Fuzzy Hash: f5b7ed92b53848253d2f0cb019ee163a7a203ae4aeb91b47e5bfd26f83663bbd
                                                  • Instruction Fuzzy Hash: 791106B5D00208DFCB10CF9AC544BEEBBF4AB48314F21841ADA15B7600C775A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EFBE89,00000800,00000000,00000000), ref: 00EFC09A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: adaadd7d6c79eabc97b22d7c453b912c26cc3526e25bd345284b538b6bc30d5f
                                                  • Instruction ID: b646fee36c06d5097766a2cb8ab26482f820e146441676191e0456fa7e8d6ad3
                                                  • Opcode Fuzzy Hash: adaadd7d6c79eabc97b22d7c453b912c26cc3526e25bd345284b538b6bc30d5f
                                                  • Instruction Fuzzy Hash: 4121F2B69002099FCB10CF9AC544BAEFBF4AB88724F21852AD915B7200C775A949CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00EFBE0E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: f9deb04c9961f0e573c920f90e27c1896c33edaf4dfd3a67f5f6a958ca1e5a51
                                                  • Instruction ID: 2ed393102e482ca8bd3bddfa3a6dc6389529c89c8419556e298b7267bfbf8970
                                                  • Opcode Fuzzy Hash: f9deb04c9961f0e573c920f90e27c1896c33edaf4dfd3a67f5f6a958ca1e5a51
                                                  • Instruction Fuzzy Hash: 0A11DFB5D006498FCB10CF9AC444ADEFBF4EB88328F14841AD919B7600C379A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?), ref: 00EFDF1D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 3c49fc52e9e8a5475bfa40ba8dd02748fcc9e2ca06f69f2aa62568ff77a46317
                                                  • Instruction ID: dcdde56fd081c445fc8e66e1a2082eb7d9139080093183875e0ae155726db5f2
                                                  • Opcode Fuzzy Hash: 3c49fc52e9e8a5475bfa40ba8dd02748fcc9e2ca06f69f2aa62568ff77a46317
                                                  • Instruction Fuzzy Hash: CF1115B59002088FDB10CF9AD489BDEBBF8FB48324F10841AD915B7300C374A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EFDEB9, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?), ref: 00EFDF1D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: a2daf27450185cb61d9e090903c396ac6d4a8db445c26c5d536ba7203a96c1d6
                                                  • Instruction ID: 9f8ec3aabd69f7c0e3417c7310876b6f54b3a44ddf24e956f7cf054c52ca89cc
                                                  • Opcode Fuzzy Hash: a2daf27450185cb61d9e090903c396ac6d4a8db445c26c5d536ba7203a96c1d6
                                                  • Instruction Fuzzy Hash: F61112BA900209CFDB10CF99D585BEEBBF4FB88324F10841AD959B7240C374A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E4D4D8, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345661221.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4e62db914290ee6233b06fcc21743ed54ab39d5c93a3d217da726a35c213328
                                                  • Instruction ID: 6ef3f1d4fd223157cb18074907afc0a7a86eb2bc297ba8df361ced1a09d5ec35
                                                  • Opcode Fuzzy Hash: a4e62db914290ee6233b06fcc21743ed54ab39d5c93a3d217da726a35c213328
                                                  • Instruction Fuzzy Hash: 902164B1508300DFCB01CF54EDC0B66BBA5FB8832CF248568E8095B306C73AD856CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E5D01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345711806.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 178ba01ec5ae5977700a0c56a9e42a66da520901b1b8889ef0e9b91cc432ddf1
                                                  • Instruction ID: 51cd12070729609798384ff1e05ea8c56f5688f58b7713399aa5210a768aea12
                                                  • Opcode Fuzzy Hash: 178ba01ec5ae5977700a0c56a9e42a66da520901b1b8889ef0e9b91cc432ddf1
                                                  • Instruction Fuzzy Hash: 8A210371508200DFCB24CF24D9C0B26BB66FB84329F24C969DC095B386C33AD84ACA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E5D005, Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345711806.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fc68c1b0d68994969db358ec02f604e6871bbef7d5e128a749633c62c5997215
                                                  • Instruction ID: 7e0d16216fcde8f371698b68de1030d5bac799e1cd443bd1980d98d0b2fbce40
                                                  • Opcode Fuzzy Hash: fc68c1b0d68994969db358ec02f604e6871bbef7d5e128a749633c62c5997215
                                                  • Instruction Fuzzy Hash: 5221807550D3C08FCB12CF24D990715BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E4D4D3, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345661221.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcf17073787025d1889aa35b610e3710c6ccb65918f9c0fff9b3798e8fb2e40d
                                                  • Instruction ID: 43b145145a9387b0d09bf1774fd77e0803c9a35a5ed65f6863ae3a0849ccaef3
                                                  • Opcode Fuzzy Hash: dcf17073787025d1889aa35b610e3710c6ccb65918f9c0fff9b3798e8fb2e40d
                                                  • Instruction Fuzzy Hash: A311E676404280CFCF11CF14E9C4B16BF71FB94328F28C6A9D8095B656C33AD85ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E4D7FD, Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345661221.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 30142ba6be4b7c6c87d5619ac1f079abc34b43c7c9abc74dada14394c5efe5e6
                                                  • Instruction ID: afad3c055b0e76925e3afd7fdb913d78b3367b114115226dd6588eb5a0b37fe8
                                                  • Opcode Fuzzy Hash: 30142ba6be4b7c6c87d5619ac1f079abc34b43c7c9abc74dada14394c5efe5e6
                                                  • Instruction Fuzzy Hash: 1101F77140C344AAD7144A66EC807B6BB98EF99738F18C45AED046B242D3799844DAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E4D7FC, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345661221.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1c2b46fb3d4961fbe73ec9f2f26215e23efcd3041790541ae54b315a6c9b364
                                                  • Instruction ID: 7ac5abd133bdb0d7080189065cd8b87e9b1cac5a2daff34b6fbda911d6474b4f
                                                  • Opcode Fuzzy Hash: e1c2b46fb3d4961fbe73ec9f2f26215e23efcd3041790541ae54b315a6c9b364
                                                  • Instruction Fuzzy Hash: 0BF09671408344AFEB148B16DCC4B72FF98EB95738F18C55AED085B286C379AC44DAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00EFC2B0, Relevance: .5, Instructions: 522COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0dfab6a07f6d270da779d2a35772bf81f21b4013514d11f828508955e7462b5b
                                                  • Instruction ID: 3e722463b2edc1cfea3c2843291556d64e90888efaa37434515a03b76d7e5687
                                                  • Opcode Fuzzy Hash: 0dfab6a07f6d270da779d2a35772bf81f21b4013514d11f828508955e7462b5b
                                                  • Instruction Fuzzy Hash: 2A525BB998170ACFD710CF14E8981997BB1FB48318BE14E08D6616BAD0D3BC657ADF44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EF9968, Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.345904530.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b66b20e0c1f00d5d13ca8ef728c804fdf65c5065d45ec6db5bcc1ac091ec877
                                                  • Instruction ID: dcaa1b7aed95558bd2234ee7e302029f3514a446913fbcb18a2719c8612f9e5a
                                                  • Opcode Fuzzy Hash: 3b66b20e0c1f00d5d13ca8ef728c804fdf65c5065d45ec6db5bcc1ac091ec877
                                                  • Instruction Fuzzy Hash: 3EA1BD76E006198FCF05DFA5C8445EEBBF2FF85304B15856AEA05BF261EB34A915CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00487DA2, Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.344144914.0000000000482000.00000002.00020000.sdmp, Offset: 00480000, based on PE: true
                                                  • Associated: 00000000.00000002.344137103.0000000000480000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.344351580.000000000057C000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c662e341b5e5637bfa5ad5e3dbf4d0df7f5b52fcbf675c4c1c13b49999f9399
                                                  • Instruction ID: dbf93ca4ca2c6a30bd40ac5e373815dee3ffd3f3e8260f0eef2f77689e5540e1
                                                  • Opcode Fuzzy Hash: 2c662e341b5e5637bfa5ad5e3dbf4d0df7f5b52fcbf675c4c1c13b49999f9399
                                                  • Instruction Fuzzy Hash: 5171AB5688F3C25FC7438B748C69692BFB15E5312471E49EBC4C1CE4A3E1488A9ECB63
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: RegSvcs.exe PID: 6768 Parent PID: 6512 RegSvcs.exeCOMMON

                                                  Executed Functions

                                                  Function 016FFAA0, Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 69aa1abca95e6985778d9b4c4559118684db4e818ad2806a1e59cac5444af18d
                                                  • Instruction ID: bf37d469349c577a17c0d7a123d4ffce0d8a110f16c119145215ee01236e4916
                                                  • Opcode Fuzzy Hash: 69aa1abca95e6985778d9b4c4559118684db4e818ad2806a1e59cac5444af18d
                                                  • Instruction Fuzzy Hash: E8B171728093899FCB06CFA9DC95A8DBFB1AF46304F1980DEE544EB262C7359845CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 069C3388, Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.607422215.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94d72dbd5c8392ff6f5adc9fe7935824d1743b5be8ec7df793c6a2fe31a6aec7
                                                  • Instruction ID: b6b39b82ca14e86864639bf8a202b00e8cbf74fb9118f457a854824b3f08de9b
                                                  • Opcode Fuzzy Hash: 94d72dbd5c8392ff6f5adc9fe7935824d1743b5be8ec7df793c6a2fe31a6aec7
                                                  • Instruction Fuzzy Hash: 258168B1E04209CFDB10CFA9D8806DEFBB5FF48324F20852ED815AB650DB719949CB92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016F93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016F962E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 34d5818fc65ab677ea4d409f731c6da31b73936deeaff14a56c8177a15d072c4
                                                  • Instruction ID: cf0044c794c745cc04253aa54d42e6940df2c277a6405f6d39b98b9d9eed7d23
                                                  • Opcode Fuzzy Hash: 34d5818fc65ab677ea4d409f731c6da31b73936deeaff14a56c8177a15d072c4
                                                  • Instruction Fuzzy Hash: 3A711270A00B058FDB24DF6AC84576ABBF5BB88308F00892DE64AD7B40DB75E845CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 069C3434, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069C3568
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.607422215.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false
                                                  Similarity
                                                  • API ID: Query_
                                                  • String ID:
                                                  • API String ID: 428220571-0
                                                  • Opcode ID: 1e053cbde29db6de97027ca08f4cb9088efda4526ebc021b6109d170eb50585b
                                                  • Instruction ID: acbf3b56a4843e453c8e46cb408a064703f3634ac8503c3ef27c6187e0943c4e
                                                  • Opcode Fuzzy Hash: 1e053cbde29db6de97027ca08f4cb9088efda4526ebc021b6109d170eb50585b
                                                  • Instruction Fuzzy Hash: A35133B1D002489FDB10CFA9C981BDEBBB5FF48314F208129E819AB650DB759946CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FD9E8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016FFD0A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: db004a3b206bc251187d2a24632e8268d3fd91f66f534f7e97cdcdb173eac1ea
                                                  • Instruction ID: 449afac38882c7489e8d7b571fb7a7c5285e028a4a2bedd584f150c86fd636fb
                                                  • Opcode Fuzzy Hash: db004a3b206bc251187d2a24632e8268d3fd91f66f534f7e97cdcdb173eac1ea
                                                  • Instruction Fuzzy Hash: 9151EDB2C043489FDB15CFA9C884ADEBBB1BF49304F24816AE919AB250D7709885CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016FFD0A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: d7dfe8f0d07a3c443fe991400dfd4c5998fe5ecdfacda3529c99316dc32e1278
                                                  • Instruction ID: 4f60e712927ad14d84a733158cb440622b01e2f033eff8a651274b6789650f7b
                                                  • Opcode Fuzzy Hash: d7dfe8f0d07a3c443fe991400dfd4c5998fe5ecdfacda3529c99316dc32e1278
                                                  • Instruction Fuzzy Hash: E251AEB2D003099FDB14CF99C884ADEBBB5FF48314F24816EE919AB250D7749945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016FBCC6,?,?,?,?,?), ref: 016FBD87
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ee768bbc9387fed9a5525cd2274c93cf2eb3163c03a58af0835a7f7d19d71cb5
                                                  • Instruction ID: 96b3746f700535fcd2f58216d94692daa47af5638a17a5bc4a66f55e74e0f9b4
                                                  • Opcode Fuzzy Hash: ee768bbc9387fed9a5525cd2274c93cf2eb3163c03a58af0835a7f7d19d71cb5
                                                  • Instruction Fuzzy Hash: 4E21E4B5900248AFDB10CF9AD884AEEBBF4FB48324F14841AE914A7350D378A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FBCF9, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016FBCC6,?,?,?,?,?), ref: 016FBD87
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 04c5d298750bc4825f70abaae5d6bb2d1e7942536cc6db3a6124c79e8749d063
                                                  • Instruction ID: fb96661d754844ac754eeacd171cdc70bc86231af0a46762b7640a3854b269fd
                                                  • Opcode Fuzzy Hash: 04c5d298750bc4825f70abaae5d6bb2d1e7942536cc6db3a6124c79e8749d063
                                                  • Instruction Fuzzy Hash: 6921E3B59002489FDB10CFAAD984ADEBFF4EB48324F15841AE914A3350D378A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016F9849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016F96A9,00000800,00000000,00000000), ref: 016F98BA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: db6afbae851c1b7aeb028140951327148dcffea84d4b7f6dd577088456222d10
                                                  • Instruction ID: c50a6380334bec9ba78f6ce5481fc6a3659b97c6043a12637a6ac247993aae81
                                                  • Opcode Fuzzy Hash: db6afbae851c1b7aeb028140951327148dcffea84d4b7f6dd577088456222d10
                                                  • Instruction Fuzzy Hash: 1611F4B5D002099BDB10CF9AC844BDEBBF4AB48324F15882EE625A7700C775A545CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016F8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016F96A9,00000800,00000000,00000000), ref: 016F98BA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: c0b8020f9a9e806b0fe5c8ac76259a974268e7fc535111cc9b0bce10a394f9b4
                                                  • Instruction ID: d1575181dea057de73431cb59abd7f45d8ed19134268126cca623348c7195a6c
                                                  • Opcode Fuzzy Hash: c0b8020f9a9e806b0fe5c8ac76259a974268e7fc535111cc9b0bce10a394f9b4
                                                  • Instruction Fuzzy Hash: 4611F2B69002499FDB10CF9AC844B9EBBF4EB88324F15842EE625A7700C775A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FFE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,016FFE28,?,?,?,?), ref: 016FFE9D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 59ff9df4c892929a7bafba33eb1c0ba5021277538af27616097c571071737426
                                                  • Instruction ID: 5dcab672e11cc336567e96c2fae533b2684eb3db628e0c72b52813317ffa2ca0
                                                  • Opcode Fuzzy Hash: 59ff9df4c892929a7bafba33eb1c0ba5021277538af27616097c571071737426
                                                  • Instruction Fuzzy Hash: A71113B58002489FDB10CF99C888BDFBBF8EB48724F10845ADA55A3300C374A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016F95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016F962E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 6ab9dd9ed6f6084232ed5ee81fd642da19e395aed252ec015aa07ca7e6436a50
                                                  • Instruction ID: c6709ed56e52610acb9d6e7ed9b054ae0336d329a18413de5515f57af4082c05
                                                  • Opcode Fuzzy Hash: 6ab9dd9ed6f6084232ed5ee81fd642da19e395aed252ec015aa07ca7e6436a50
                                                  • Instruction Fuzzy Hash: 0911DFB5D006598FDB10CF9AC844BDEFBF4AB88728F14841AD519A7700C378A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016FDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,016FFE28,?,?,?,?), ref: 016FFE9D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600768243.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 98773b5bb99f08343f5628d5d275c6d9a8cf1c1f3dba721c3fdbd7d7172ba474
                                                  • Instruction ID: 9270d65b2a90a0346b9096aac912b2ca1826eb7c2652c6560cdef7027506ecbc
                                                  • Opcode Fuzzy Hash: 98773b5bb99f08343f5628d5d275c6d9a8cf1c1f3dba721c3fdbd7d7172ba474
                                                  • Instruction Fuzzy Hash: 581106B69002489FDB10CF99D985BDFBBF8EB48724F108459EA15A7301C374A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0166D4A0, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600531426.000000000166D000.00000040.00000001.sdmp, Offset: 0166D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89f760a239f7324145c1b18405665eca3bf857130a7bd49709615fd3130a2c6c
                                                  • Instruction ID: e992590bd3179ec02f00af97a58c8ceebb93116101027b54dbd6818b644ba546
                                                  • Opcode Fuzzy Hash: 89f760a239f7324145c1b18405665eca3bf857130a7bd49709615fd3130a2c6c
                                                  • Instruction Fuzzy Hash: 482148B1604200DFDB01CF98DDC0B66BF69FB88328F24C568D9454B706C336E856CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0167D01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600564537.000000000167D000.00000040.00000001.sdmp, Offset: 0167D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3983977daab35c6feb42e80640edc63c3ed29830a81b61500a9b1f316371aa59
                                                  • Instruction ID: 717422a32ca7601b207c6abdf7d154ce412670b30ee251a2c2406e7d4ca2d8d5
                                                  • Opcode Fuzzy Hash: 3983977daab35c6feb42e80640edc63c3ed29830a81b61500a9b1f316371aa59
                                                  • Instruction Fuzzy Hash: D0212275504200DFCB16CFA8DDC0B26BB65FF88364F24C969D80A4B346C33AD847CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0166D49B, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600531426.000000000166D000.00000040.00000001.sdmp, Offset: 0166D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcf17073787025d1889aa35b610e3710c6ccb65918f9c0fff9b3798e8fb2e40d
                                                  • Instruction ID: 397dcb31f1ba21b4c19de020ead047b7655021bd772da7375cd7655edd2d73b8
                                                  • Opcode Fuzzy Hash: dcf17073787025d1889aa35b610e3710c6ccb65918f9c0fff9b3798e8fb2e40d
                                                  • Instruction Fuzzy Hash: 9B11E176504280DFCB12CF48D9C0B16BF71FB84324F28C2A9D9450B716C336D45ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0167D017, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.600564537.000000000167D000.00000040.00000001.sdmp, Offset: 0167D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12f67fdc9dc56767326eaed59dca694e0c2acc2b1ab9e6f0ee5cc82c48f064fa
                                                  • Instruction ID: 27bfb7ad555403dbff7263c47974a0d098b174aa5057d6fdb4efdf1884627c04
                                                  • Opcode Fuzzy Hash: 12f67fdc9dc56767326eaed59dca694e0c2acc2b1ab9e6f0ee5cc82c48f064fa
                                                  • Instruction Fuzzy Hash: 95118B75504280DFDB12CF58D9C4B15BBA1FF84324F28CAAAD8494B756C33AD45ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions