Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67739
Start time:11:03:18
Joe Sandbox Product:CloudBasic
Start date:12.07.2018
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:51vsl_docs 12-07_pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.evad.spyw.troj.winEXE@3/4@64/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 35
  • Number of non-executed functions: 6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 97.9% (good quality ratio 94.1%)
  • Quality average: 77.2%
  • Quality standard deviation: 28.6%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 51vsl_docs 12-07_pdf.exe

Detection

StrategyScoreRangeReportingDetection
Threshold880 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.1.51vsl_docs 12-07_pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.9.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.8.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.2.51vsl_docs 12-07_pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.7.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 1.2.51vsl_docs 12-07_pdf.exe.4d26000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.51vsl_docs 12-07_pdf.exe.400000.6.unpackAvira: Label: TR/Crypt.XPACK.Gen

Networking:

barindex
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mozaks.net replaycode: Server failure (2)
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
Found strings which match to known social media urlsShow sources
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: *.youtube.com equals www.youtube.com (Youtube)
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: youtube.com equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mozaks.net
Urls found in memory or binary dataShow sources
Source: 51vsl_docs 12-07_pdf.exeString found in binary or memory: file:///
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16083106069.04D26000.00000040.sdmp, 51vsl_docs 12-07_pdf.exe, 00000002.00000000.16074871295.00400000.00000040.sdmpString found in binary or memory: file:///Software
Source: 51vsl_docs 12-07_pdf.exeString found in binary or memory: ftp://
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16083106069.04D26000.00000040.sdmp, 51vsl_docs 12-07_pdf.exe, 00000002.00000000.16074871295.00400000.00000040.sdmpString found in binary or memory: ftp://ftp://ftps://http://https://
Source: 51vsl_docs 12-07_pdf.exeString found in binary or memory: http://
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: http://clients1.google.com/ocsp0
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: http://g.symcd.com0
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16083106069.04D26000.00000040.sdmp, 51vsl_docs 12-07_pdf.exe, 00000002.00000000.16074871295.00400000.00000040.sdmpString found in binary or memory: http://https:///:80%sexeMachineGuidSOFTWARE
Source: 51vsl_docs 12-07_pdf.exe, 00000002.00000002.16503974125.0049F000.00000040.sdmpString found in binary or memory: http://mozaks.net/diy/admin/office/work/panel/fre.php
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: lsass.exe, 00000003.00000000.16139586923.000BD000.00000004.sdmpString found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: 51vsl_docs 12-07_pdf.exe, 51vsl_docs 12-07_pdf.exe, 00000002.00000000.16074871295.00400000.00000040.sdmpString found in binary or memory: http://www.ibsensoftware.com/
Source: 51vsl_docs 12-07_pdf.exeString found in binary or memory: https://

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\SimonTatham\PuTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\Martin PrikrylJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\secmod.dbJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\cert8.dbJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\key3.dbJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: HKEY_USERS\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: HKEY_USERS\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: HKEY_USERS\Software\Far\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile opened: HKEY_USERS\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: PopPassword2_2_0040D069
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: SmtpPassword2_2_0040D069
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: PopPassword2_1_0040D069
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: SmtpPassword2_1_0040D069

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: 51vsl_docs 12-07_pdf.exeStatic PE information: real checksum: 0x9a060 should be: 0x9936d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AD4
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AFC
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.21013892439

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 51vsl_docs 12-07_pdf.exe
Creates mutexesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\09E3E1D85CB65E97AFA24C0A
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_004029D42_2_004029D4
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_0040549C2_2_0040549C
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_004029D42_1_004029D4
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_0040549C2_1_0040549C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: String function: 00405B6F appears 84 times
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: String function: 00404BEE appears 56 times
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: String function: 00412093 appears 40 times
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: String function: 0041219C appears 90 times
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: String function: 00404B22 appears 54 times
PE file contains strange resourcesShow sources
Source: 51vsl_docs 12-07_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16077018959.00200000.00000008.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs 51vsl_docs 12-07_pdf.exe
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16076513440.001E0000.00000008.sdmpBinary or memory string: OriginalFilenameuser32j% vs 51vsl_docs 12-07_pdf.exe
Source: 51vsl_docs 12-07_pdf.exe, 00000001.00000002.16077257806.00488000.00000002.sdmpBinary or memory string: OriginalFilenamePhonoglyph4.exe vs 51vsl_docs 12-07_pdf.exe
Source: 51vsl_docs 12-07_pdf.exe, 00000002.00000000.16073632133.00488000.00000002.sdmpBinary or memory string: OriginalFilenamePhonoglyph4.exe vs 51vsl_docs 12-07_pdf.exe
Source: 51vsl_docs 12-07_pdf.exeBinary or memory string: OriginalFilenamePhonoglyph4.exe vs 51vsl_docs 12-07_pdf.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal88.evad.spyw.troj.winEXE@3/4@64/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_1_0040650A
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_004047E6 CreateToolhelp32Snapshot,Process32FirstW,2_2_004047E6
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,2_2_0040434D
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-290172400-2828352916-2832973385-1004\e312237aeac8ba038d4356ccd37913e3_0f4f5130-48fa-4204-b1c4-585fbb81cd25Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 51vsl_docs 12-07_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe 'C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe 'C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe'
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess created: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe 'C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe' Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey opened: HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory allocated: C:\Windows\System32\lsass.exe base: 200000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory allocated: C:\Windows\System32\lsass.exe base: 650000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory allocated: C:\Windows\System32\lsass.exe base: 200000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory protected: C:\Windows\System32\lsass.exe base: 200000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory protected: C:\Windows\System32\lsass.exe base: 200000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory protected: C:\Windows\System32\lsass.exe base: 650000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory protected: C:\Windows\System32\lsass.exe base: 650000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory protected: C:\Windows\System32\lsass.exe base: 200000 protect: page execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeThread register set: target process: 3708Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory written: C:\Windows\System32\lsass.exe base: 200000Jump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory written: C:\Windows\System32\lsass.exe base: 650000Jump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeMemory written: C:\Windows\System32\lsass.exe base: 200000Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 51vsl_docs 12-07_pdf.exe, 00000002.00000002.16504060412.006A0000.00000002.sdmpBinary or memory string: Progman
Source: 51vsl_docs 12-07_pdf.exe, 00000002.00000002.16504060412.006A0000.00000002.sdmpBinary or memory string: Program Manager
Source: 51vsl_docs 12-07_pdf.exe, 00000002.00000002.16504060412.006A0000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]2_1_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,2_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess token adjusted: DebugJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeThread delayed: delay time: 11878000Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exe TID: 3712Thread sleep time: -300000s >= -60000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\secmod.db VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\cert8.db VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\key3.db VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\51vsl_docs 12-07_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
11:03:28API Interceptor7x Sleep call for process: 51vsl_docs 12-07_pdf.exe modified
11:03:56API Interceptor1x Sleep call for process: lsass.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
2.0.51vsl_docs 12-07_pdf.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.Gen
2.1.51vsl_docs 12-07_pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.51vsl_docs 12-07_pdf.exe.400000.9.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.51vsl_docs 12-07_pdf.exe.400000.8.unpack100%AviraTR/Crypt.XPACK.Gen
2.2.51vsl_docs 12-07_pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.51vsl_docs 12-07_pdf.exe.400000.7.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.51vsl_docs 12-07_pdf.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.Gen
1.2.51vsl_docs 12-07_pdf.exe.4d26000.3.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.51vsl_docs 12-07_pdf.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.Gen

Domains

SourceDetectionScannerLabelLink
mozaks.net0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots