Source: 00000000.00000002.769947048.0000000002920000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/kOrg_stUoodKu54.bin"} |
Source: PO64747835 PDF.exe |
ReversingLabs: Detection: 14% |
Source: PO64747835 PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE |
Jump to behavior |
Source: PO64747835 PDF.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: msvcr100.i386.pdb source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr |
Source: |
Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr |
Source: |
Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: Malware configuration extractor |
URLs: http://donaldtrumpverse.com/kOrg_stUoodKu54.bin |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: PO64747835 PDF.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004056DE |
Source: PO64747835 PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs PO64747835 PDF.exe |
Source: PO64747835 PDF.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040755C |
0_2_0040755C |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_00406D85 |
0_2_00406D85 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_734B1BFF |
0_2_734B1BFF |
Source: libLerc.dll.0.dr |
Static PE information: Number of sections : 11 > 10 |
Source: libenchant-2.dll.0.dr |
Static PE information: Number of sections : 12 > 10 |
Source: gspawn-win64-helper.exe.0.dr |
Static PE information: Number of sections : 11 > 10 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Process Stats: CPU usage > 98% |
Source: PO64747835 PDF.exe |
ReversingLabs: Detection: 14% |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File read: C:\Users\user\Desktop\PO64747835 PDF.exe |
Jump to behavior |
Source: PO64747835 PDF.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: CDMDataEventHandler.dll.0.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs |
Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78' |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\nsjD8DF.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/11@0/1 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_004021AA CoCreateInstance, |
0_2_004021AA |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_0040498A |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE |
Jump to behavior |
Source: PO64747835 PDF.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: msvcr100.i386.pdb source: PO64747835 PDF.exe, 00000000.00000002.769148112.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr |
Source: |
Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr |
Source: |
Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr |
Source: Yara match |
File source: 00000000.00000002.769947048.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_734B30C0 push eax; ret |
0_2_734B30EE |
Source: gspawn-win64-helper.exe.0.dr |
Static PE information: section name: .xdata |
Source: libLerc.dll.0.dr |
Static PE information: section name: .xdata |
Source: libenchant-2.dll.0.dr |
Static PE information: section name: .xdata |
Source: CDMDataEventHandler.dll.0.dr |
Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC] |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_734B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_734B1BFF |
Source: initial sample |
Static PE information: section name: .text entropy: 6.90904492268 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\libLerc.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\nseD9AB.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
RDTSC instruction interceptor: First address: 00000000029228CF second address: 00000000029228CF instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8FC0BA137Dh 0x00000006 inc ebp 0x00000007 pushad 0x00000008 mov bh, F8h 0x0000000a cmp bh, FFFFFFF8h 0x0000000d jne 00007F8FC0BAA368h 0x00000013 popad 0x00000014 inc ebx 0x00000015 rdtsc |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_734B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_734B1BFF |
Source: C:\Users\user\Desktop\PO64747835 PDF.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |