Windows Analysis Report
PO64747835 PDF.exe

Overview

General Information

Sample Name:	PO64747835 PDF.exe
Analysis ID:	634445
MD5:	9a548d0455360a501ea392c85ecdb905
SHA1:	2d96b448e8a70468c24aa1e9848c350e9fab1696
SHA256:	9af1b3d7b095b178c588d19e2d7a9418d5c638b4ac7b94ba3dc9d9223f14a52c
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

PE file contains more sections than normal

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.769947048.0000000002920000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/kOrg_stUoodKu54.bin"}

Multi AV Scanner detection for submitted file

Source: PO64747835 PDF.exe

ReversingLabs: Detection: 14%

Uses 32bit PE files

Source: PO64747835 PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: PO64747835 PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://donaldtrumpverse.com/kOrg_stUoodKu54.bin

Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PO64747835 PDF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: PO64747835 PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs PO64747835 PDF.exe

PE file contains strange resources

Source: PO64747835 PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_734B1BFF	0_2_734B1BFF

PE file contains more sections than normal

Source: libLerc.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libenchant-2.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: gspawn-win64-helper.exe.0.dr	Static PE information: Number of sections : 11 > 10

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Process Stats: CPU usage > 98%

Source: PO64747835 PDF.exe

ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

File read: C:\Users\user\Desktop\PO64747835 PDF.exe

Jump to behavior

Source: PO64747835 PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

0_2_0040352D

Source: CDMDataEventHandler.dll.0.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs

Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78'

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsjD8DF.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/11@0/1

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: PO64747835 PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.769947048.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_734B30C0 push eax; ret

0_2_734B30EE

PE file contains sections with non-standard names

Source: gspawn-win64-helper.exe.0.dr	Static PE information: section name: .xdata
Source: libLerc.dll.0.dr	Static PE information: section name: .xdata
Source: libenchant-2.dll.0.dr	Static PE information: section name: .xdata

Binary contains a suspicious time stamp

Source: CDMDataEventHandler.dll.0.dr

Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_734B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_734B1BFF

Source: initial sample

Static PE information: section name: .text entropy: 6.90904492268

Drops PE files

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nseD9AB.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

RDTSC instruction interceptor: First address: 00000000029228CF second address: 00000000029228CF instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8FC0BA137Dh 0x00000006 inc ebp 0x00000007 pushad 0x00000008 mov bh, F8h 0x0000000a cmp bh, FFFFFFF8h 0x0000000d jne 00007F8FC0BAA368h 0x00000013 popad 0x00000014 inc ebx 0x00000015 rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\PO64747835 PDF.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO64747835 PDF.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

Code function: 0_2_734B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_734B1BFF

Source: C:\Users\user\Desktop\PO64747835 PDF.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://donaldtrumpverse.com/kOrg_stUoodKu54.bin	true	Avira URL Cloud: safe	unknown

ID:	634445
Product:	CloudBasic
Start time:	06:00:09
Start date:	26.05.2022
Sample:	PO64747835 PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9a548d0455360a501ea392c85ecdb905
SHA1:	2d96b448e8a70468c24aa1e9848c350e9fab1696
SHA256:	9af1b3d7b095b178c588d19e2d7a9418d5c638b4ac7b94ba3dc9d9223f14a52c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_ITA.chm	MS Windows HtmlHelp Data	27729CF331D3767DF077F52B262D88F3	EF4B6F74A0608B5A4DC6E3CA465A96137C1CAD74	CA601E57DD2C1E6E92145A8A19083599261B626A4D26B04D8C3FD5BDDDB2CB0D
C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	25F3ECFD195030F6B1BAD60E5EF97163	749B7E267CDBBC83783DFA4C7BF45134556C13D7	FCD740746D2B3E01945E6A099AB4CDD06ECE05818E25D08C5DDAFBD333B0DC84
C:\Users\user\AppData\Local\Temp\RACOYIAN.hav	data	E17F742A3B79DF2D21AC403EAFB27574	5A53F28B12C228F77FAF580A54F1E12AC6B93427	D8A19805B48F85692AB8E6D8090A5151041DC73DD5C07B98171F7AE242250E41
C:\Users\user\AppData\Local\Temp\foromtalers.Fid	ASCII text, with very long lines, with no line terminators	EEDF996AEE7BE718D4ED650F72298AC4	BC860286D87BA1D7C66A9E3351C14A8C1C230461	8ACC66E278720D3C67A2295079BB8C9A595C9732A85F361E01B22349246E333E
C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	8154B723020AEE70829FFC138C9D1C4C	6F7AF3827B37845F071625458DF1DB8BA9056FD6	902F9D2A239CCAEBA677DB5838654FB6CE7CF3D21243B8EF122E9D970714B0D3
C:\Users\user\AppData\Local\Temp\libLerc.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	58BFEB91921D4882F7EDABAB9C0C1C17	596DB0512A25089EF7CDE48CA3393E4F6878FF90	5C9DB6D64BAF0250735368825CEC3032EC39999F266125D132157ECC0403EE12
C:\Users\user\AppData\Local\Temp\libenchant-2.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	6A9928C42EB4375CCEF3A025F3535795	395703F4970B42F55C2BCB2B8CF3F0D12E192CEB	CAA457EF4BD84476790D215FFFF048DEB162CABC14DB3FF679795CCEA8972411
C:\Users\user\AppData\Local\Temp\msvcr100.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0E37FBFA79D349D672456923EC5FBBE3	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
C:\Users\user\AppData\Local\Temp\nseD9AB.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\system-shutdown.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	84D033B14C06568FA57352CCF18D8D35	1D75B42F61842E8B0FA8D811DAC72B313CDDCA74	3989B93626DC3ED6EF03430AD0B1FF5C6E358DAC76E34ED7C8086579B68E660F
C:\Users\user\AppData\Local\Temp\zoom-out-symbolic.svg	SVG Scalable Vector Graphics image	C05C42CB3D95BF3BC7F49CCD8DCCA510	20442E344E95508586B1B2A7B4C6272C3F5C86F8	695554CE5F23A275D3C25C27410D0CFBF8A83156807DAA3A601635E4E5D8AED0

Windows Analysis Report
PO64747835 PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report PO64747835 PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
PO64747835 PDF.exe