DYNAMIC ANALYSIS REPORT #1191526

Classifications: Downloader Spyware

MALICIOUS Threat Names: -

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name DFI_078_41_02_005.pdf.exe

ID #392292

MD5 401b898010200d87fa8b93e0bf20f45d

SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b

SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3

File Size 463.80 KB

Report Created 2021-04-21 20:23 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 31 DYNAMIC ANALYSIS REPORT #1191526

OVERVIEW

VMRay Threat Identifiers (18 rules, 46 matches)

Score Category Operation Count Classification

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: Kometa, Comodo Dragon, Elements Browser, Cyberfox, Opera, Mozilla Thunderbird, Epic Privacy Browser, BlackHawk, Torch, Chromium, Internet Explorer, CocCoc, Orbitum, Amigo, Google Chrome, Mozilla Firefox, Vivaldi, Uran, CentBrowser.

4/5 Masquerade Uses a double file extension 2 -

• File "c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe" has a double file extension.

• File "c:\users\rdhj0cnfevzx\appdata\local\temp\dfi_078_41_02_005.pdf.exe" has a double file extension.

2/5 Data Collection Reads sensitive browser data 18 -

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Google Chrome" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Chromium" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Kometa" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Amigo" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Torch" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Orbitum" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Comodo Dragon" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Vivaldi" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CocCoc" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Uran" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CentBrowser" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Elements Browser" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Cyberfox" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "BlackHawk" by file.

2/5 Data Collection Reads sensitive mail data 1 -

• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.

2/5 Anti Analysis Tries to detect virtual machine 1 -

• Multiple processes are possibly trying to detect a VM via rdtsc.

2/5 Heuristics Signed executable failed signature validation 1 -

• C:\Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.exe is signed, but signature validation failed.

2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe modifies memory of (process #2) dfi_078_41_02_005.pdf.exe.

2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe alters context of (process #2) dfi_078_41_02_005.pdf.exe.

1/5 Privilege Escalation Enables process privilege 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe enables process privilege "SeDebugPrivilege".

X-Ray Vision for Malware - www.vmray.com 2 / 31 DYNAMIC ANALYSIS REPORT #1191526

1/5 Persistence Installs system startup script or application 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe"" to Windows startup via registry.

1/5 Hide Tracks Creates process with hidden window 2 -

• (Process #1) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window.

• (Process #2) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window.

1/5 Discovery Enumerates running processes 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe enumerates running processes.

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe reads from (process #2) dfi_078_41_02_005.pdf.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Possibly does reconnaissance 4 -

• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Cyberfox" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "blackHawk" by file.

• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "icecat" by file.

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #2) dfi_078_41_02_005.pdf.exe resolves 74 API functions by name.

1/5 Execution Executes itself 1 -

• (Process #1) dfi_078_41_02_005.pdf.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe.

1/5 Network Connection Downloads executable 7 Downloader

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/6.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/1.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/2.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/3.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/4.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/5.jpg.

• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/7.jpg.

- Trusted Known clean file 7 -

• File "C:\\ProgramData\\softokn3.dll" is a known clean file.

• File "C:\\ProgramData\\sqlite3.dll" is a known clean file.

• File "C:\\ProgramData\\freebl3.dll" is a known clean file.

• File "C:\\ProgramData\\mozglue.dll" is a known clean file.

• File "C:\\ProgramData\\msvcp140.dll" is a known clean file.

• File "C:\\ProgramData\\nss3.dll" is a known clean file.

• File "C:\\ProgramData\\vcruntime140.dll" is a known clean file.

Remarks

Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

X-Ray Vision for Malware - www.vmray.com 3 / 31 DYNAMIC ANALYSIS REPORT #1191526

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1036 - - - - Masqueradin ------g

#T1060 Registry Run - - Keys / ------Startup Folder

#T1112 - - - - Modify ------Registry

#T1143 - - - - Hidden ------Window

#T1057 ------Process - - - - - Discovery

#T1045 - - - - Software ------Packing

#T1119 ------Automated - - - Collection

#T1003 - - - - - Credential ------Dumping

#T1005 Data ------from Local - - - System

#T1081 - - - - - Credentials ------in Files

#T1083 File and ------Directory Discovery

#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion

#T1124 ------System Time - - - - - Discovery

#T1071 Standard ------Application - - Layer Protocol

#T1105 #T1105 ------Remote File - Remote File - - Copy Copy

X-Ray Vision for Malware - www.vmray.com 4 / 31 DYNAMIC ANALYSIS REPORT #1191526

Sample Information

ID 1191526

MD5 401b898010200d87fa8b93e0bf20f45d

SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b

SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3

SSDeep 6144:Zz3df/UYtfUeAIQHuA36cdrNSvsdssKDJXJ6a/2aKE4VCQMCS:f/JeeAItC66Jtg1Iajg/

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

Filename DFI_078_41_02_005.pdf.exe

File Size 463.80 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-04-21 20:23 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 4

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 31 DYNAMIC ANALYSIS REPORT #1191526

X-Ray Vision for Malware - www.vmray.com 6 / 31 DYNAMIC ANALYSIS REPORT #1191526

Screenshots trunkated.

X-Ray Vision for Malware - www.vmray.com 7 / 31 DYNAMIC ANALYSIS REPORT #1191526

NETWORK

General

133.18 KB total sent

3044.97 KB total received

1 ports 80

1 contacted IP addresses

0 URLs extracted

8 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

9 URLs contacted, 1 servers

1 sessions, 133.18 KB sent, 3044.97 KB recivied

DNS Requests

-

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

POST duiy.xyz/6.jpg 0 bytes N/A

POST duiy.xyz/1.jpg 0 bytes N/A

POST duiy.xyz/2.jpg 0 bytes N/A

POST duiy.xyz/3.jpg 0 bytes N/A

POST duiy.xyz/4.jpg 0 bytes N/A

POST duiy.xyz/5.jpg 0 bytes N/A

POST duiy.xyz/7.jpg 0 bytes N/A

POST duiy.xyz/main.php 0 bytes N/A

POST duiy.xyz/ 0 bytes N/A

X-Ray Vision for Malware - www.vmray.com 8 / 31 DYNAMIC ANALYSIS REPORT #1191526

BEHAVIOR

Process Graph

#5 Reboot #1 notpad.exe

Modify Memory #1 Modify Control Flow #2 Child Process #3 Sample Start dfi_078_41_02_005.pdf.exe dfi_078_41_02_005.pdf.exe cmd.exe Child Process

X-Ray Vision for Malware - www.vmray.com 9 / 31 DYNAMIC ANALYSIS REPORT #1191526

Process #1: dfi_078_41_02_005.pdf.exe

ID 1

Filename c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 63811, Reason: Analysis Target

Unmonitor End Time End Time: 166772, Reason: Terminated

Monitor Duration 102.96s

Return Code 0

PID 816

Parent PID 2104

Bitness 32 Bit

Dropped Files (1)

Filename File Size SHA256 YARA Match

C: 2b5a82318d126c8d7f49bfcf1a093d349da469 \Users\RDhJ0CNFevzX\AppData\Local\Temp 463.80 KB 24c7bdae0ed0428ddd4549feb3 \DFI_078_41_02_005.pdf.exe

Host Behavior

Type Count

File 7

System 1351

User 1

Process 104

Module 23

Registry 3

- 3

- 8

X-Ray Vision for Malware - www.vmray.com 10 / 31 DYNAMIC ANALYSIS REPORT #1191526

Process #2: dfi_078_41_02_005.pdf.exe

ID 2

Filename c:\users\rdhj0cnfevzx\appdata\local\temp\dfi_078_41_02_005.pdf.exe

Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02_005.pdf.exe

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 163376, Reason: Child Process

Unmonitor End Time End Time: 186998, Reason: Terminated

Monitor Duration 23.62s

Return Code 0

PID 1264

Parent PID 816

Bitness 32 Bit

Injection Information (7)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x400000(4194304) 0x400 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x401000(4198400) 0x25a00 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x427000(4354048) 0x8200 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x430000(4390912) 0x1200 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x435000(4411392) 0x2e00 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x27a008(2596872) 0x4 1 ktop\dfi_078_41_02_00 5.pdf.exe

#1: c: \users\rdhj0cnfevzx\des Modify Control Flow 0x5b4 / 0x954 - 1 ktop\dfi_078_41_02_00 5.pdf.exe

Dropped Files (12)

Filename File Size SHA256 YARA Match

e3b0c44298fc1c149afbf4c8996fb92427ae41 - 0 bytes e4649b934ca495991b7852b855

43536adef2ddcc811c28d35fa6ce3031029a2 C:\\ProgramData\\softokn3.dll 141.45 KB 424ad393989db36169ff2995083

16574f51785b0e2fc29c2c61477eb47bb39f71 C:\\ProgramData\\sqlite3.dll 630.46 KB 4829999511dc8952b43ab17660

a770ecba3b08bbabd0a567fc978e50615f8b3 C:\\ProgramData\\freebl3.dll 326.45 KB 46709f8eb3cfacf3faab24090ba

3fe6b1c54b8cf28f571e0c5d6636b4069a8ab0 C:\\ProgramData\\mozglue.dll 133.95 KB 0b4f11dd842cfec00691d0c9cd

334e69ac9367f708ce601a6f490ff227d6c206 C:\\ProgramData\\msvcp140.dll 429.80 KB 36da5222f148b25831d22e13d4

X-Ray Vision for Malware - www.vmray.com 11 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename File Size SHA256 YARA Match

e2935b5b28550d47dc971f456d6961f20d163 C:\\ProgramData\\nss3.dll 1216.95 KB 3b4892998750140e0eaa9ae9d78

c40bb03199a2054dabfc7a8e01d6098e91de7 C:\\ProgramData\\vcruntime140.dll 81.82 KB 193619effbd0f142a7bf031c14d

aafac5c83e77d89a3ffc148e2d35833db94dc4 system.txt 2.01 KB d0fd90643ecfbc84ca9b3e6047

C:\\ProgramData\ 6ab1e7b6d0e5c0d92af285d3ff2ddc7016a20e 88.18 KB \841859659216477\screenshot.jpg 9c53e323ec2b532eff9338cf78

1ddf9ccdf8405a70cb261c09df1cafcdcf0f980e outlook.txt 527 bytes 03c441a841d3543b42879259

f6e86d4f4aa3ca96d71bffb21ffaabe7dcd86a3 _8418596592.zip 85.05 KB 909a085612a33e1da68bd1ab9

Host Behavior

Type Count

Module 93

File 741

Environment 1

System 13

Registry 205

User 1

Keyboard 2

Process 1

Network Behavior

Type Count

HTTP 9

TCP 1

X-Ray Vision for Malware - www.vmray.com 12 / 31 DYNAMIC ANALYSIS REPORT #1191526

Process #3: cmd.exe

ID 3

Filename c:\windows\syswow64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 1264 & erase C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02_005.pdf.exe & RD /S /Q Command Line C:\\ProgramData\\841859659216477\\* & exit

Initial Working Directory C:\ProgramData\

Monitor Start Time Start Time: 181163, Reason: Child Process

Unmonitor End Time End Time: 198735, Reason: Terminated

Monitor Duration 17.57s

Return Code 3221225794

PID 2960

Parent PID 1264

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 13 / 31 DYNAMIC ANALYSIS REPORT #1191526

Process #5: notpad.exe

ID 5

Filename c:\users\rdhj0cnfevzx\appdata\local\notpad.exe

Command Line "C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe"

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 256483, Reason: Autostart

Unmonitor End Time End Time: 313930, Reason: Terminated by Timeout

Monitor Duration 57.45s

Return Code Unknown

PID 2752

Parent PID 1628

Bitness 32 Bit

Host Behavior

Type Count

File 2

System 748

X-Ray Vision for Malware - www.vmray.com 14 / 31 DYNAMIC ANALYSIS REPORT #1191526

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

C: \Users\RDhJ0CNFevzX\ AppData\Local\notpad.e xe, C: 2b5a82318d126c8d7f49 \Users\RDhJ0CNFevzX\ application/ bfcf1a093d349da46924 Desktop\DFI_078_41_0 Sample File 463.80 KB vnd.microsoft.portable- Create, Access, Write MALICIOUS c7bdae0ed0428ddd454 2_005.pdf.exe, C: executable 9feb3 \Users\RDhJ0CNFevzX\ AppData\Local\Temp\DF I_078_41_02_005.pdf.e xe

c: fb535c9815d52f2cebdd \users\rdhj0cnfevzx\app 8d3478cef31252116661 data\local\microsoft\wind Modified File 128 bytes application/octet-stream CLEAN d10f0d10aa77b00f6c7e ows\inetcache\counters. 16e3 dat

aafac5c83e77d89a3ffc1 C:\\ProgramData\ 48e2d35833db94dc4d0f Access, Read, Create, \841859659216477\syst Dropped File 2.01 KB text/plain CLEAN d90643ecfbc84ca9b3e6 Write, Delete em.txt, system.txt 047

6ab1e7b6d0e5c0d92af2 C:\\ProgramData\ 85d3ff2ddc7016a20e9c \841859659216477\scre Dropped File 88.18 KB image/jpeg Access, Read, Delete CLEAN 53e323ec2b532eff9338 enshot.jpg, cf78 screenshot.jpg

1ddf9ccdf8405a70cb261 C:\\ProgramData\ c09df1cafcdcf0f980e03c Access, Read, Create, \841859659216477\outl Embedded File 527 bytes text/plain CLEAN 441a841d3543b428792 Write, Delete ook.txt, outlook.txt 59

43536adef2ddcc811c28 application/ d35fa6ce3031029a2424 C:\\ProgramData\ Create, Access, Delete, Downloaded File 141.45 KB vnd.microsoft.portable- CLEAN ad393989db36169ff299 \softokn3.dll Write executable 5083

16574f51785b0e2fc29c application/ 2c61477eb47bb39f7148 C:\\ProgramData\ Create, Access, Delete, Downloaded File 630.46 KB vnd.microsoft.portable- CLEAN 29999511dc8952b43ab \sqlite3.dll Write executable 17660

a770ecba3b08bbabd0a application/ 567fc978e50615f8b346 C:\\ProgramData\ Create, Access, Delete, Downloaded File 326.45 KB vnd.microsoft.portable- CLEAN 709f8eb3cfacf3faab240 \freebl3.dll Write executable 90ba

3fe6b1c54b8cf28f571e0 application/ c5d6636b4069a8ab00b C:\\ProgramData\ Create, Access, Delete, Downloaded File 133.95 KB vnd.microsoft.portable- CLEAN 4f11dd842cfec00691d0c \mozglue.dll Write executable 9cd

334e69ac9367f708ce60 application/ 1a6f490ff227d6c20636d C:\\ProgramData\ Create, Access, Delete, Downloaded File 429.80 KB vnd.microsoft.portable- CLEAN a5222f148b25831d22e1 \msvcp140.dll Write executable 3d4

e2935b5b28550d47dc9 application/ 71f456d6961f20d1633b C:\\ProgramData\ Create, Access, Delete, Downloaded File 1216.95 KB vnd.microsoft.portable- CLEAN 4892998750140e0eaa9 \nss3.dll Write executable ae9d78

c40bb03199a2054dabfc application/ 7a8e01d6098e91de719 C:\\ProgramData\ Create, Access, Delete, Downloaded File 81.82 KB vnd.microsoft.portable- CLEAN 3619effbd0f142a7bf031 \vcruntime140.dll Write executable c14d

f6e86d4f4aa3ca96d71bf C:\\ProgramData\ fb21ffaabe7dcd86a3909 \841859659216477\_84 Access, Read, Create, Downloaded File 85.05 KB application/zip CLEAN a085612a33e1da68bd1 18596592.zip, Write, Delete ab9 _8418596592.zip

Filename

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\Desktop\DFI_078_41 Sample File Access MALICIOUS _02_005.pdf.exe

C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Sample File Create, Access, Write MALICIOUS \DFI_078_41_02_005.pdf.exe

X-Ray Vision for Malware - www.vmray.com 15 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename Category Operations Verdict

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config

C:\Users\RDhJ0CNFevzX\AppData\Local Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\notpa Sample File Create, Access, Write CLEAN d.exe

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe

C:\\ProgramData\\softokn3.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\sqlite3.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\freebl3.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\mozglue.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\msvcp140.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\nss3.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\vcruntime140.dll Downloaded File Create, Access, Delete, Write CLEAN

C:\\ProgramData\\841859659216477 Accessed File Create, Access, Delete CLEAN

C:\\ProgramData\\841859659216477\ Accessed File Create, Access CLEAN \cookies

C:\\ProgramData\\841859659216477\\cc Accessed File Create, Access CLEAN

C:\\ProgramData\\841859659216477\\autofill Accessed File Create, Access CLEAN

C:\\ProgramData\\841859659216477\\crypto Accessed File Create, Access CLEAN

passwords.txt Accessed File Create, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Google\\Chrome\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Chromium\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Kometa\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Amigo\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Torch\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Orbitum\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Comodo\\Dragon\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Nichrome\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Maxthon5\\Users\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Sputnik\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Epic Privacy Browser\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Vivaldi\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CocCoc\\Browser\\User Data\Local State

X-Ray Vision for Malware - www.vmray.com 16 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename Category Operations Verdict

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \uCozMedia\\Uran\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \QIP Surf\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CentBrowser\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Elements Browser\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \TorBro\\Profile\Local State

C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data\\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CryptoTab Browser\\User Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Local\ \BraveSoftware\\Brave-Browser\\User Accessed File Access CLEAN Data\Local State

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Opera Software\\Opera Stable\\\Local State

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Mozilla\\Firefox\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \Moonchild Productions\\Pale Moon\\Profiles\ Accessed File Access CLEAN \..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Waterfox\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \8pecxstudios\\Cyberfox\\Profiles\\..\ Accessed File Access CLEAN \profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \NETGATE Technologies\\BlackHawk\ Accessed File Access CLEAN \Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Mozilla\\icecat\\Profiles\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \K-Meleon\\..\\profiles.ini

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Thunderbird\\Profiles\\..\\profiles.ini

outlook.txt Dropped File, Embedded File Create, Access, Read, Write CLEAN

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Bitcoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Ethereum\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Electrum

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Electrum-LTC

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \ElectronCash

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Exodus\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \MultiDoge\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Zcash\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \DashCore\\

X-Ray Vision for Malware - www.vmray.com 17 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename Category Operations Verdict

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Litecoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Anoncoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \BBQCoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \devcoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \digitalcoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Florincoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Franko\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Freicoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \GoldCoinGLD

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Infinitecoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \IOCoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Ixcoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Megacoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Mincoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Namecoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Primecoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Terracoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \YACoin\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \jaxx\\

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\.

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\.

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\..

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\..

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\autofill

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\autofill

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\cc

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\cc

X-Ray Vision for Malware - www.vmray.com 18 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename Category Operations Verdict

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\cookies

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\cookies

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\crypto

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\crypto

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\outlook.txt

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\outlook.txt

C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\passwords.txt

C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\passwords.txt

system.txt Dropped File Create, Access, Write CLEAN

_8418596592.zip Downloaded File Create, Access, Read, Write CLEAN

C:\\ProgramData\\841859659216477\autofill Accessed File Access, Delete CLEAN

C:\\ProgramData\\841859659216477\cc Accessed File Access, Delete CLEAN

C:\\ProgramData\\841859659216477\cookies Accessed File Access, Delete CLEAN

C:\\ProgramData\\841859659216477\crypto Accessed File Access, Delete CLEAN

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Anoncoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\BBQCoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Bitcoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\DashCore

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\devcoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\digitalcoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\ElectronCash

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Electrum

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Electrum-LTC

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Ethereum

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Exodus

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Florincoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Franko

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Freicoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\GoldCoinGLD

X-Ray Vision for Malware - www.vmray.com 19 / 31 DYNAMIC ANALYSIS REPORT #1191526

Filename Category Operations Verdict

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Infinitecoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\IOCoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Ixcoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\jaxx

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Litecoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Megacoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Mincoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\MultiDoge

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Namecoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Primecoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Terracoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\YACoin

C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Zcash

C:\\ProgramData\ Dropped File, Embedded File Access, Read, Delete CLEAN \841859659216477\outlook.txt

C:\\ProgramData\ Accessed File Access, Read, Delete CLEAN \841859659216477\passwords.txt

C:\\ProgramData\ Dropped File Access, Read, Delete CLEAN \841859659216477\screenshot.jpg

C:\\ProgramData\ Dropped File Access, Read, Delete CLEAN \841859659216477\system.txt

C:\\ProgramData\ Downloaded File Access, Delete CLEAN \841859659216477\_8418596592.zip

URL

URL Category IP Address Country HTTP Methods Verdict

http://duiy.xyz/6.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/1.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/2.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/3.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/4.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/5.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/7.jpg 45.144.225.201 POST CLEAN

http://duiy.xyz/main.php 45.144.225.201 POST CLEAN

http://duiy.xyz 45.144.225.201 POST CLEAN

X-Ray Vision for Malware - www.vmray.com 20 / 31 DYNAMIC ANALYSIS REPORT #1191526

Domain

Domain IP Address Country Protocols Verdict

duiy.xyz 45.144.225.201 HTTP CLEAN

IP

IP Address Domains Country Protocols Verdict

45.144.225.201 duiy.xyz United States DNS, HTTP, TCP CLEAN

Email

-

Email Address

-

Mutex

-

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft access dfi_078_41_02_005.pdf.exe CLEAN \Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft access, read, write dfi_078_41_02_005.pdf.exe CLEAN \Windows\CurrentVersion\Run\notpad

HKEY_PERFORMANCE_DATA access dfi_078_41_02_005.pdf.exe CLEAN

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000002

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000003

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003

X-Ray Vision for Malware - www.vmray.com 21 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003

HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002

X-Ray Vision for Malware - www.vmray.com 22 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003

HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004

HKEY_LOCAL_MACHINE\SOFTWARE\ access dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Windows NT\\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows NT\ access, read dfi_078_41_02_005.pdf.exe CLEAN \CurrentVersion\ProductName

HKEY_LOCAL_MACHINE\SOFTWARE\ access dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Cryptography

HKEY_LOCAL_MACHINE\SOFTWARE\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Cryptography\MachineGuid

HKEY_LOCAL_MACHINE\HARDWARE\ \DESCRIPTION\\System\\CentralProcessor\ access dfi_078_41_02_005.pdf.exe CLEAN \0

HKEY_LOCAL_MACHINE\HARDWARE\ \DESCRIPTION\\System\\CentralProcessor\ access, read dfi_078_41_02_005.pdf.exe CLEAN \0\ProcessorNameString

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\AddressBook\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Connection Manager\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DirectDrawEx\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DXM_Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DXM_Runtime\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Fontcore\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE40\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE4Data

X-Ray Vision for Malware - www.vmray.com 23 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE4Data\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE5BAKEX\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IEData\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MobileOptionPack\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MPlayer2\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\SchedulingAgent\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\WIC

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\WIC\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB21517 57

X-Ray Vision for Malware - www.vmray.com 24 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB21517 57\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB24671 73

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB24671 73\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25248 60

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25248 60\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25446 55

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25446 55\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25497 43

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25497 43\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25650 63

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25650 63\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB98257 3

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB98257 3\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{2BC3BD4D- FABA-4394-93C7-9AC82A263FE2}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{2BC3BD4D- access, read dfi_078_41_02_005.pdf.exe CLEAN FABA-4394-93C7-9AC82A263FE2}\DisplayN ame

X-Ray Vision for Malware - www.vmray.com 25 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{2BC3BD4D- access, read dfi_078_41_02_005.pdf.exe CLEAN FABA-4394-93C7-9AC82A263FE2}\DisplayV ersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{3c3aafc8- d898-43ec-998f-965ffdae065a}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{3c3aafc8- d898-43ec-998f-965ffdae065a}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{3c3aafc8- access, read dfi_078_41_02_005.pdf.exe CLEAN d898-43ec-998f-965ffdae065a} \DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{710f4c1c- cc18-4c49-8cbf-51240c89a1a2}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{710f4c1c- access, read dfi_078_41_02_005.pdf.exe CLEAN cc18-4c49-8cbf-51240c89a1a2}\DisplayNam e

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{710f4c1c- access, read dfi_078_41_02_005.pdf.exe CLEAN cc18-4c49-8cbf-51240c89a1a2}\DisplayVersi on

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}

X-Ray Vision for Malware - www.vmray.com 26 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{9BE518E6- ECC6-35A9-88E4-87755C07200F}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{9BE518E6- access, read dfi_078_41_02_005.pdf.exe CLEAN ECC6-35A9-88E4-87755C07200F} \DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{9BE518E6- access, read dfi_078_41_02_005.pdf.exe CLEAN ECC6-35A9-88E4-87755C07200F} \DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}\DisplayName

X-Ray Vision for Malware - www.vmray.com 27 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{e6e75766- da0f-4ba2-9788-6ea593ce702d}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{e6e75766- access, read dfi_078_41_02_005.pdf.exe CLEAN da0f-4ba2-9788-6ea593ce702d} \DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{e6e75766- access, read dfi_078_41_02_005.pdf.exe CLEAN da0f-4ba2-9788-6ea593ce702d} \DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}\DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2151757

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2151757\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2467173

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2467173\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2524860

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2524860\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2544655

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2544655\DisplayName

X-Ray Vision for Malware - www.vmray.com 28 / 31 DYNAMIC ANALYSIS REPORT #1191526

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2549743

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2549743\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2565063

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2565063\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB982573

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB982573\DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{F8CFEB22- A2E7-3971-9EDA-4B11EDEFC185}

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{F8CFEB22- access, read dfi_078_41_02_005.pdf.exe CLEAN A2E7-3971-9EDA-4B11EDEFC185}\DisplayN ame

HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{F8CFEB22- access, read dfi_078_41_02_005.pdf.exe CLEAN A2E7-3971-9EDA-4B11EDEFC185}\DisplayV ersion

Process

Process Name Commandline Verdict

"C: dfi_078_41_02_005.pdf.exe \Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.ex SUSPICIOUS e"

C: dfi_078_41_02_005.pdf.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02 SUSPICIOUS _005.pdf.exe

notpad.exe "C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe" SUSPICIOUS

"C:\Windows\System32\cmd.exe" /c taskkill /pid 1264 & erase C: cmd.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02 CLEAN _005.pdf.exe & RD /S /Q C:\\ProgramData\ \841859659216477\\* & exit

X-Ray Vision for Malware - www.vmray.com 29 / 31 DYNAMIC ANALYSIS REPORT #1191526

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 30 / 31 DYNAMIC ANALYSIS REPORT #1191526

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-04-21 14:31:11+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 31 / 31