Windows Analysis Report
PO#83298373729383838392387373873PDF.exe

Overview

General Information

Sample name: PO#83298373729383838392387373873PDF.exe
Analysis ID: 1560406
MD5: cfba70c85197dbf3794d29ec1a028e41
SHA1: 553ace7a4399cf320f99781e6aa01de7387beb3c
SHA256: 8f936683a4a1f0ea60bcfafa320c4669b85d8cba070203a5f539b4cd7bd078a0
Tags: exeuser-lowmal3
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: nwamama.ydns.eu Avira URL Cloud: Label: malware
Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["nwamama.ydns.eu"], "Port": 3791, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: C:\Users\user\AppData\Roaming\Name.exe ReversingLabs: Detection: 55%
Source: PO#83298373729383838392387373873PDF.exe ReversingLabs: Detection: 55%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Roaming\Name.exe Joe Sandbox ML: detected
Source: PO#83298373729383838392387373873PDF.exe Joe Sandbox ML: detected
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: nwamama.ydns.eu
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: 3791
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: <123456789>
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: <Xwormmm>
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: XWorm V5.6
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack String decryptor: USB.exe
Source: PO#83298373729383838392387373873PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO#83298373729383838392387373873PDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp

Networking

barindex
Source: Malware configuration extractor URLs: nwamama.ydns.eu
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

System Summary

barindex
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: initial sample Static PE information: Filename: PO#83298373729383838392387373873PDF.exe
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Code function: 0_2_06190007 0_2_06190007
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Code function: 0_2_06190040 0_2_06190040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00F90EC0 2_2_00F90EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000000.2020816892.0000000000252000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002A13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.00000000026B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2050414859.0000000005220000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameHvgtipgb.dll" vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051358330.00000000057C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2029680955.00000000009DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
Source: PO#83298373729383838392387373873PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: PO#83298373729383838392387373873PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Name.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@4/3@0/0
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\xfLucCIETglxMGYM
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\98c053a2-c728-4a66-80a3-1c67fdb675c5 Jump to behavior
Source: PO#83298373729383838392387373873PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO#83298373729383838392387373873PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO#83298373729383838392387373873PDF.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File read: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe "C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe"
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO#83298373729383838392387373873PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#83298373729383838392387373873PDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs .Net Code: Memory
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: Yara match File source: 0.2.PO#83298373729383838392387373873PDF.exe.58a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2051601524.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Code function: 0_2_061970ED pushad ; ret 0_2_061970FD
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Code function: 0_2_06196907 push ecx; retf 0_2_0619690C
Source: PO#83298373729383838392387373873PDF.exe Static PE information: section name: .text entropy: 7.718517547006481
Source: Name.exe.0.dr Static PE information: section name: .text entropy: 7.718517547006481
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File created: C:\Users\user\AppData\Roaming\Name.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs Jump to dropped file
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Memory allocated: CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Memory allocated: 24F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2910000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 6464 Thread sleep count: 191 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 6464 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, NativeMethods.cs Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ResourceReferenceValue.cs Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, XLogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Queries volume information: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR
No contacted IP infos