Windows Analysis Report
9348000 EDT8 EDQ-905.pdf.exe

Overview

General Information

Sample name:	9348000 EDT8 EDQ-905.pdf.exe
Analysis ID:	1542078
MD5:	2303f1ec39ce8a6567d311af14d35904
SHA1:	a1060385d87b7a10ee9b1cf78f13637f5af235d3
SHA256:	e81b6b5dc10fa29138e68b8020a73f9a767877d3a85e1a5396ec08b20d3a8be3
Tags:	exe
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["154.216.18.238"], "Port": "1194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 9348000 EDT8 EDQ-905.pdf.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 9348000 EDT8 EDQ-905.pdf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: 154.216.18.238
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: 1194
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: <123456789>
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: <Xwormmm>
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: XWorm V5.6
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: USB.exe
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: %AppData%
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: AYT.exe

Uses 32bit PE files

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mscorlib.pdbD source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbL} source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdb\ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb, source: AYT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb source: AYT.exe.4.dr
Source:	Binary string: System.Configuration.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbp_ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3235828494.0000000001657000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3235828494.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#Dnm. source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb\m source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 154.216.18.238:1194 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 154.216.18.238:1194 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49716 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49716 -> 154.216.18.238:1194

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.216.18.238

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 154.216.18.238:1194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: RegSvcs.exe, 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00459FFF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0047C08E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9348000 EDT8 EDQ-905.pdf.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.9348000 EDT8 EDQ-905.pdf.exe.3780000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3235501812.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 9348000 EDT8 EDQ-905.pdf.exe

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		3_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021FB0	0_2_04021FB0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00409A40	3_2_00409A40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412038	3_2_00412038
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00427161	3_2_00427161
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047E1FA	3_2_0047E1FA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004212BE	3_2_004212BE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00443390	3_2_00443390
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00443391	3_2_00443391
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041A46B	3_2_0041A46B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041240C	3_2_0041240C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00446566	3_2_00446566
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004045E0	3_2_004045E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041D750	3_2_0041D750
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004037E0	3_2_004037E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00427859	3_2_00427859
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412818	3_2_00412818
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0040F890	3_2_0040F890
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0042397B	3_2_0042397B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00411B63	3_2_00411B63
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047CBF0	3_2_0047CBF0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044EBBC	3_2_0044EBBC
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412C38	3_2_00412C38
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044ED9A	3_2_0044ED9A
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00423EBF	3_2_00423EBF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00424F70	3_2_00424F70
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041AF0D	3_2_0041AF0D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51FB0	3_2_03F51FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031ED158	4_2_031ED158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E0FF8	4_2_031E0FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E1030	4_2_031E1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_07712820	4_2_07712820

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00425210 appears 58 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041718C appears 90 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0043362D appears 38 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1424

Sample file is different than original file name gathered from version info

Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140160852.0000000004453000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000045FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159944733.000000000463D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2157751166.0000000004453000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs 9348000 EDT8 EDQ-905.pdf.exe

Uses 32bit PE files

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9348000 EDT8 EDQ-905.pdf.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.9348000 EDT8 EDQ-905.pdf.exe.3780000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3235501812.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/9@0/1

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464422
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004364AA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	3_2_00464422
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	3_2_004364AA

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\S7rRwTRJSkK53vKk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3608

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\Clinton

Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Command line argument: #v		0_2_0040D7F0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Command line argument: #v		3_2_0040D7F0

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9348000 EDT8 EDQ-905.pdf.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File read: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1424
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: AYT.lnk.4.dr

LNK file: ..\..\..\..\..\AYT.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static file information: File size 1113995 > 1048576

Source:	Binary string: mscorlib.pdbD source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbL} source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdb\ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb, source: AYT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb source: AYT.exe.4.dr
Source:	Binary string: System.Configuration.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbp_ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3235828494.0000000001657000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3235828494.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#Dnm. source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb\m source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

PE file contains an invalid checksum

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: real checksum: 0xa2135 should be: 0x114939

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004171D1 push ecx; ret	3_2_004171E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E4F49 push ebx; ret	4_2_031E4F62

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 9348000 EDT8 EDQ-905.pdf.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_004772DE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_004375B0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_004772DE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_004375B0

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00444078		0_2_00444078
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00444078		3_2_00444078

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API/Special instruction interceptor: Address: 4021BD4
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API/Special instruction interceptor: Address: 3F51BD4

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7790			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2037			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API coverage: 3.1 %
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API coverage: 3.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

API call chain: ExitProcess graph end node

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021E40 mov eax, dword ptr fs:[00000030h]	0_2_04021E40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021EA0 mov eax, dword ptr fs:[00000030h]	0_2_04021EA0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04020810 mov eax, dword ptr fs:[00000030h]	0_2_04020810
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F50810 mov eax, dword ptr fs:[00000030h]	3_2_03F50810
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51EA0 mov eax, dword ptr fs:[00000030h]	3_2_03F51EA0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51E40 mov eax, dword ptr fs:[00000030h]	3_2_03F51E40

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0042202E SetUnhandledExceptionFilter,	3_2_0042202E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004230F5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00417D93
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00421FA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 112D008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"			Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: Shell_TrayWnd
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0042039F

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_XP
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_XPe
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_VISTA
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_004741BB
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	3_2_0046483C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	3_2_0047AD92

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.18.238	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
154.216.18.238	true		unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["154.216.18.238"], "Port": "1194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 9348000 EDT8 EDQ-905.pdf.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 9348000 EDT8 EDQ-905.pdf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: 154.216.18.238
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: 1194
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: <123456789>
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: <Xwormmm>
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: XWorm V5.6
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: USB.exe
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: %AppData%
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack	String decryptor: AYT.exe

Uses 32bit PE files

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mscorlib.pdbD source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbL} source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdb\ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb, source: AYT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb source: AYT.exe.4.dr
Source:	Binary string: System.Configuration.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbp_ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3235828494.0000000001657000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3235828494.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#Dnm. source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb\m source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 154.216.18.238:1194 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 154.216.18.238:1194 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49716 -> 154.216.18.238:1194
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49716 -> 154.216.18.238:1194

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.216.18.238

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 154.216.18.238:1194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.238

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: RegSvcs.exe, 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00459FFF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00459FFF

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0047C08E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9348000 EDT8 EDQ-905.pdf.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.9348000 EDT8 EDQ-905.pdf.exe.3780000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3235501812.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 9348000 EDT8 EDQ-905.pdf.exe

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_004461ED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		3_2_004364AA

Detected potential crypto function

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021FB0	0_2_04021FB0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00409A40	3_2_00409A40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412038	3_2_00412038
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00427161	3_2_00427161
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047E1FA	3_2_0047E1FA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004212BE	3_2_004212BE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00443390	3_2_00443390
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00443391	3_2_00443391
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041A46B	3_2_0041A46B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041240C	3_2_0041240C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00446566	3_2_00446566
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004045E0	3_2_004045E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041D750	3_2_0041D750
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004037E0	3_2_004037E0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00427859	3_2_00427859
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412818	3_2_00412818
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0040F890	3_2_0040F890
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0042397B	3_2_0042397B
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00411B63	3_2_00411B63
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047CBF0	3_2_0047CBF0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044EBBC	3_2_0044EBBC
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00412C38	3_2_00412C38
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044ED9A	3_2_0044ED9A
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00423EBF	3_2_00423EBF
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00424F70	3_2_00424F70
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0041AF0D	3_2_0041AF0D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51FB0	3_2_03F51FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031ED158	4_2_031ED158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E0FF8	4_2_031E0FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E1030	4_2_031E1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_07712820	4_2_07712820

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00425210 appears 58 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0041718C appears 90 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: String function: 0043362D appears 38 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1424

Sample file is different than original file name gathered from version info

Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140160852.0000000004453000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000045FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159944733.000000000463D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2157751166.0000000004453000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9348000 EDT8 EDQ-905.pdf.exe
Source: 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAYT.exe4 vs 9348000 EDT8 EDQ-905.pdf.exe

Uses 32bit PE files

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9348000 EDT8 EDQ-905.pdf.exe.2fa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.9348000 EDT8 EDQ-905.pdf.exe.3780000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3235501812.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2144226778.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2163788984.0000000003780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/9@0/1

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464422
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004364AA
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	3_2_00464422
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	3_2_004364AA

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\S7rRwTRJSkK53vKk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3608

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\Clinton

Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Command line argument: #v		0_2_0040D7F0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Command line argument: #v		3_2_0040D7F0

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9348000 EDT8 EDQ-905.pdf.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

File read: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1424
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: AYT.lnk.4.dr

LNK file: ..\..\..\..\..\AYT.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static file information: File size 1113995 > 1048576

Source:	Binary string: mscorlib.pdbD source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbL} source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdb\ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb, source: AYT.exe.4.dr
Source:	Binary string: wntdll.pdbUGP source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2140368863.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000000.00000003.2139603483.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2158369458.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9348000 EDT8 EDQ-905.pdf.exe, 00000003.00000003.2159078467.0000000004370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: RegSvcs.pdb source: AYT.exe.4.dr
Source:	Binary string: System.Configuration.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240349963.00000000066F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbp_ source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3235828494.0000000001657000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3235828494.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#Dnm. source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb\m source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000004.00000002.3241044235.0000000006DCA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER5E88.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E88.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

PE file contains an invalid checksum

Source: 9348000 EDT8 EDQ-905.pdf.exe

Static PE information: real checksum: 0xa2135 should be: 0x114939

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004171D1 push ecx; ret	3_2_004171E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_031E4F49 push ebx; ret	4_2_031E4F62

Source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gGndLaRn6boi9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AYT.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 9348000 EDT8 EDQ-905.pdf.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_004772DE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_004375B0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_004772DE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_004375B0

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00444078		0_2_00444078
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00444078		3_2_00444078

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API/Special instruction interceptor: Address: 4021BD4
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API/Special instruction interceptor: Address: 3F51BD4

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7790			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2037			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API coverage: 3.1 %
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	API coverage: 3.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000004.00000002.3240497153.0000000006766000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

API call chain: ExitProcess graph end node

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_0040D6D0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021E40 mov eax, dword ptr fs:[00000030h]	0_2_04021E40
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04021EA0 mov eax, dword ptr fs:[00000030h]	0_2_04021EA0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_04020810 mov eax, dword ptr fs:[00000030h]	0_2_04020810
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F50810 mov eax, dword ptr fs:[00000030h]	3_2_03F50810
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51EA0 mov eax, dword ptr fs:[00000030h]	3_2_03F51EA0
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_03F51E40 mov eax, dword ptr fs:[00000030h]	3_2_03F51E40

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_00426DA1

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0042202E SetUnhandledExceptionFilter,	3_2_0042202E
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004230F5
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00417D93
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00421FA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 112D008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_0040D6D0

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_004375B0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"			Jump to behavior
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: Shell_TrayWnd
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

0_2_0042039F

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_XP
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_XPe
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_VISTA
Source: 9348000 EDT8 EDQ-905.pdf.exe	Binary or memory string: WIN_7

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43ded90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309d58e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.309c6a6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43c6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3238992933.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237486712.0000000003340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3236898593.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3239693650.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3237597397.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_004741BB
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	3_2_0046483C
Source: C:\Users\user\Desktop\9348000 EDT8 EDQ-905.pdf.exe	Code function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	3_2_0047AD92

ID:	1542078
Product:	CloudBasic
Start time:	14:55:06
Start date:	25.10.2024
Sample:	9348000 EDT8 EDQ-905.pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2303f1ec39ce8a6567d311af14d35904
SHA1:	a1060385d87b7a10ee9b1cf78f13637f5af235d3
SHA256:	e81b6b5dc10fa29138e68b8020a73f9a767877d3a85e1a5396ec08b20d3a8be3
Filetype:	Win32 Executable (generic) a (10002005/4) 95.11%

Windows Analysis Report
9348000 EDT8 EDQ-905.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_a35497387d5c18b093425ec6f082bbfea43142fc_c2842f8f_97cfd8f8-b88d-41a5-b19f-5e00daa1091b\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	2C20FABE5916109FA61DA7610468DBC6	E228F37F00E68D8DA245DB866905FB6AA6B673FF	E5A7418EE45BC6FC14A4C7CB8554A8ACCA0CB93D51E9ACFA3B3AE8550E954D0B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E88.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Oct 25 12:57:43 2024, 0x1205a4 type	8ED3B057754B454A3FCB9CEEFA21BCDE	0C0933F30608B285FB887B273C27A1073FD0E5B4	93E5380742CD29A776EFDD530B81F4A461D67EC5FA96B28E8333492DED494145
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6271.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	E3F13D93DB9B93DF6D2E7809CCF51022	8087EE69C83D348D57ED79F1B0DB63ABAD2B1EA3	7F4778155B28B3B9EB311F324BF30514FEB3AE78FD0AADDE45758DAFB3C40832
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62DF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9BE79146C13A3E85C09BA7BF912F3005	EB85673BAFDEF3753CC6D8F03AFAFCAF0F003B1B	2AA8D3850D71DBB20A6F34938D58E445AEE7C2045160D5586E67E34B0B4DFB83
C:\Users\user\AppData\Local\Temp\Clinton	data	D24DD5EDD4609A7C13D3238A96C9EA6E	3661D50F1E4C49C4FA08701AAC4BFE8A9B797ECB	CB6DA06DFC69A8E2FABF531521C42940175CE7017E86E907E43F00BBD01B3CB8
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Roaming\AYT.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	9D352BC46709F0CB5EC974633A0C3C94	1969771B2F022F9A86D77AC4D4D239BECDF08D07	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYT.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 25 11:56:04 2024, mtime=Fri Oct 25 11:56:04 2024, atime=Fri Oct 25 11:56:04 2024, length=45984, window=hide	F50B9959416A4D4410310E1CFB9D5365	7C60532AB213E5D0BF837EB89F3C5461AF7D47FA	CFCCBB048D1590AD24DA224585E7B865E234BCC7A0D67DF787E3D0690FE5F349
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0DBD1C185474713A3D1F780A78EC8DE3	A27D6438B78DD8CB12FEC4DD827F15FD5AFBFF06	C1E59D46C1673561F41A83A4ABE7FA10A58BC70BD59496D8094F4D1F9E79F888

Windows Analysis Report 9348000 EDT8 EDQ-905.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
9348000 EDT8 EDQ-905.pdf.exe

Malware Threat Intel
Provided by