DYNAMIC ANALYSIS REPORT #1191526
Classifications: Downloader Spyware
MALICIOUS Threat Names: -
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name DFI_078_41_02_005.pdf.exe
ID #392292
MD5 401b898010200d87fa8b93e0bf20f45d
SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b
SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3
File Size 463.80 KB
Report Created 2021-04-21 20:23 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 31 DYNAMIC ANALYSIS REPORT #1191526
OVERVIEW
VMRay Threat Identifiers (18 rules, 46 matches)
Score Category Operation Count Classification
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Kometa, Comodo Dragon, Elements Browser, Cyberfox, Opera, Mozilla Thunderbird, Epic Privacy Browser, BlackHawk, Torch, Chromium, Internet Explorer, CocCoc, Orbitum, Amigo, Google Chrome, Mozilla Firefox, Vivaldi, Uran, CentBrowser.
4/5 Masquerade Uses a double file extension 2 -
• File "c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe" has a double file extension.
• File "c:\users\rdhj0cnfevzx\appdata\local\temp\dfi_078_41_02_005.pdf.exe" has a double file extension.
2/5 Data Collection Reads sensitive browser data 18 -
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Google Chrome" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Chromium" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Kometa" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Amigo" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Torch" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Orbitum" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Comodo Dragon" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Vivaldi" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CocCoc" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Uran" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "CentBrowser" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Elements Browser" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "Cyberfox" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of web browser "BlackHawk" by file.
2/5 Data Collection Reads sensitive mail data 1 -
• (Process #2) dfi_078_41_02_005.pdf.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
2/5 Anti Analysis Tries to detect virtual machine 1 -
• Multiple processes are possibly trying to detect a VM via rdtsc.
2/5 Heuristics Signed executable failed signature validation 1 -
• C:\Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.exe is signed, but signature validation failed.
2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe modifies memory of (process #2) dfi_078_41_02_005.pdf.exe.
2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe alters context of (process #2) dfi_078_41_02_005.pdf.exe.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe enables process privilege "SeDebugPrivilege".
X-Ray Vision for Malware - www.vmray.com 2 / 31 DYNAMIC ANALYSIS REPORT #1191526
1/5 Persistence Installs system startup script or application 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe"" to Windows startup via registry.
1/5 Hide Tracks Creates process with hidden window 2 -
• (Process #1) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window.
• (Process #2) dfi_078_41_02_005.pdf.exe starts (process #2) dfi_078_41_02_005.pdf.exe with a hidden window.
1/5 Discovery Enumerates running processes 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe enumerates running processes.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe reads from (process #2) dfi_078_41_02_005.pdf.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Discovery Possibly does reconnaissance 4 -
• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "Cyberfox" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "blackHawk" by file.
• (Process #2) dfi_078_41_02_005.pdf.exe tries to gather information about application "icecat" by file.
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #2) dfi_078_41_02_005.pdf.exe resolves 74 API functions by name.
1/5 Execution Executes itself 1 -
• (Process #1) dfi_078_41_02_005.pdf.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe.
1/5 Network Connection Downloads executable 7 Downloader
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/6.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/1.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/2.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/3.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/4.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/5.jpg.
• (Process #2) dfi_078_41_02_005.pdf.exe downloads executable via http from duiy.xyz/7.jpg.
- Trusted Known clean file 7 -
• File "C:\\ProgramData\\softokn3.dll" is a known clean file.
• File "C:\\ProgramData\\sqlite3.dll" is a known clean file.
• File "C:\\ProgramData\\freebl3.dll" is a known clean file.
• File "C:\\ProgramData\\mozglue.dll" is a known clean file.
• File "C:\\ProgramData\\msvcp140.dll" is a known clean file.
• File "C:\\ProgramData\\nss3.dll" is a known clean file.
• File "C:\\ProgramData\\vcruntime140.dll" is a known clean file.
Remarks
Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.
X-Ray Vision for Malware - www.vmray.com 3 / 31 DYNAMIC ANALYSIS REPORT #1191526
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1036 - - - - Masqueradin ------g
#T1060 Registry Run - - Keys / ------Startup Folder
#T1112 - - - - Modify ------Registry
#T1143 - - - - Hidden ------Window
#T1057 ------Process - - - - - Discovery
#T1045 - - - - Software ------Packing
#T1119 ------Automated - - - Collection
#T1003 - - - - - Credential ------Dumping
#T1005 Data ------from Local - - - System
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1497 #T1497 Virtualization Virtualization ------/Sandbox /Sandbox Evasion Evasion
#T1124 ------System Time - - - - - Discovery
#T1071 Standard ------Application - - Layer Protocol
#T1105 #T1105 ------Remote File - Remote File - - Copy Copy
X-Ray Vision for Malware - www.vmray.com 4 / 31 DYNAMIC ANALYSIS REPORT #1191526
Sample Information
ID 1191526
MD5 401b898010200d87fa8b93e0bf20f45d
SHA1 dd1621dfaaffc7ecf9e4b52215eda9bd7cfe1a3b
SHA256 2b5a82318d126c8d7f49bfcf1a093d349da46924c7bdae0ed0428ddd4549feb3
SSDeep 6144:Zz3df/UYtfUeAIQHuA36cdrNSvsdssKDJXJ6a/2aKE4VCQMCS:f/JeeAItC66Jtg1Iajg/
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
Filename DFI_078_41_02_005.pdf.exe
File Size 463.80 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-04-21 20:23 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 4
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 0
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 5 / 31 DYNAMIC ANALYSIS REPORT #1191526
X-Ray Vision for Malware - www.vmray.com 6 / 31 DYNAMIC ANALYSIS REPORT #1191526
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 7 / 31 DYNAMIC ANALYSIS REPORT #1191526
NETWORK
General
133.18 KB total sent
3044.97 KB total received
1 ports 80
1 contacted IP addresses
0 URLs extracted
8 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
9 URLs contacted, 1 servers
1 sessions, 133.18 KB sent, 3044.97 KB recivied
DNS Requests
-
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
POST duiy.xyz/6.jpg 0 bytes N/A
POST duiy.xyz/1.jpg 0 bytes N/A
POST duiy.xyz/2.jpg 0 bytes N/A
POST duiy.xyz/3.jpg 0 bytes N/A
POST duiy.xyz/4.jpg 0 bytes N/A
POST duiy.xyz/5.jpg 0 bytes N/A
POST duiy.xyz/7.jpg 0 bytes N/A
POST duiy.xyz/main.php 0 bytes N/A
POST duiy.xyz/ 0 bytes N/A
X-Ray Vision for Malware - www.vmray.com 8 / 31 DYNAMIC ANALYSIS REPORT #1191526
BEHAVIOR
Process Graph
#5 Reboot #1 notpad.exe
Modify Memory #1 Modify Control Flow #2 Child Process #3 Sample Start dfi_078_41_02_005.pdf.exe dfi_078_41_02_005.pdf.exe cmd.exe Child Process
X-Ray Vision for Malware - www.vmray.com 9 / 31 DYNAMIC ANALYSIS REPORT #1191526
Process #1: dfi_078_41_02_005.pdf.exe
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\dfi_078_41_02_005.pdf.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 63811, Reason: Analysis Target
Unmonitor End Time End Time: 166772, Reason: Terminated
Monitor Duration 102.96s
Return Code 0
PID 816
Parent PID 2104
Bitness 32 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
C: 2b5a82318d126c8d7f49bfcf1a093d349da469 \Users\RDhJ0CNFevzX\AppData\Local\Temp 463.80 KB 24c7bdae0ed0428ddd4549feb3 \DFI_078_41_02_005.pdf.exe
Host Behavior
Type Count
File 7
System 1351
User 1
Process 104
Module 23
Registry 3
- 3
- 8
X-Ray Vision for Malware - www.vmray.com 10 / 31 DYNAMIC ANALYSIS REPORT #1191526
Process #2: dfi_078_41_02_005.pdf.exe
ID 2
Filename c:\users\rdhj0cnfevzx\appdata\local\temp\dfi_078_41_02_005.pdf.exe
Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02_005.pdf.exe
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 163376, Reason: Child Process
Unmonitor End Time End Time: 186998, Reason: Terminated
Monitor Duration 23.62s
Return Code 0
PID 1264
Parent PID 816
Bitness 32 Bit
Injection Information (7)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x400000(4194304) 0x400 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x401000(4198400) 0x25a00 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x427000(4354048) 0x8200 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x430000(4390912) 0x1200 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x435000(4411392) 0x2e00 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Memory 0x5b4 0x27a008(2596872) 0x4 1 ktop\dfi_078_41_02_00 5.pdf.exe
#1: c: \users\rdhj0cnfevzx\des Modify Control Flow 0x5b4 / 0x954 - 1 ktop\dfi_078_41_02_00 5.pdf.exe
Dropped Files (12)
Filename File Size SHA256 YARA Match
e3b0c44298fc1c149afbf4c8996fb92427ae41 - 0 bytes e4649b934ca495991b7852b855
43536adef2ddcc811c28d35fa6ce3031029a2 C:\\ProgramData\\softokn3.dll 141.45 KB 424ad393989db36169ff2995083
16574f51785b0e2fc29c2c61477eb47bb39f71 C:\\ProgramData\\sqlite3.dll 630.46 KB 4829999511dc8952b43ab17660
a770ecba3b08bbabd0a567fc978e50615f8b3 C:\\ProgramData\\freebl3.dll 326.45 KB 46709f8eb3cfacf3faab24090ba
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab0 C:\\ProgramData\\mozglue.dll 133.95 KB 0b4f11dd842cfec00691d0c9cd
334e69ac9367f708ce601a6f490ff227d6c206 C:\\ProgramData\\msvcp140.dll 429.80 KB 36da5222f148b25831d22e13d4
X-Ray Vision for Malware - www.vmray.com 11 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename File Size SHA256 YARA Match
e2935b5b28550d47dc971f456d6961f20d163 C:\\ProgramData\\nss3.dll 1216.95 KB 3b4892998750140e0eaa9ae9d78
c40bb03199a2054dabfc7a8e01d6098e91de7 C:\\ProgramData\\vcruntime140.dll 81.82 KB 193619effbd0f142a7bf031c14d
aafac5c83e77d89a3ffc148e2d35833db94dc4 system.txt 2.01 KB d0fd90643ecfbc84ca9b3e6047
C:\\ProgramData\ 6ab1e7b6d0e5c0d92af285d3ff2ddc7016a20e 88.18 KB \841859659216477\screenshot.jpg 9c53e323ec2b532eff9338cf78
1ddf9ccdf8405a70cb261c09df1cafcdcf0f980e outlook.txt 527 bytes 03c441a841d3543b42879259
f6e86d4f4aa3ca96d71bffb21ffaabe7dcd86a3 _8418596592.zip 85.05 KB 909a085612a33e1da68bd1ab9
Host Behavior
Type Count
Module 93
File 741
Environment 1
System 13
Registry 205
User 1
Keyboard 2
Process 1
Network Behavior
Type Count
HTTP 9
TCP 1
X-Ray Vision for Malware - www.vmray.com 12 / 31 DYNAMIC ANALYSIS REPORT #1191526
Process #3: cmd.exe
ID 3
Filename c:\windows\syswow64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1264 & erase C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02_005.pdf.exe & RD /S /Q Command Line C:\\ProgramData\\841859659216477\\* & exit
Initial Working Directory C:\ProgramData\
Monitor Start Time Start Time: 181163, Reason: Child Process
Unmonitor End Time End Time: 198735, Reason: Terminated
Monitor Duration 17.57s
Return Code 3221225794
PID 2960
Parent PID 1264
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 13 / 31 DYNAMIC ANALYSIS REPORT #1191526
Process #5: notpad.exe
ID 5
Filename c:\users\rdhj0cnfevzx\appdata\local\notpad.exe
Command Line "C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 256483, Reason: Autostart
Unmonitor End Time End Time: 313930, Reason: Terminated by Timeout
Monitor Duration 57.45s
Return Code Unknown
PID 2752
Parent PID 1628
Bitness 32 Bit
Host Behavior
Type Count
File 2
System 748
X-Ray Vision for Malware - www.vmray.com 14 / 31 DYNAMIC ANALYSIS REPORT #1191526
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
C: \Users\RDhJ0CNFevzX\ AppData\Local\notpad.e xe, C: 2b5a82318d126c8d7f49 \Users\RDhJ0CNFevzX\ application/ bfcf1a093d349da46924 Desktop\DFI_078_41_0 Sample File 463.80 KB vnd.microsoft.portable- Create, Access, Write MALICIOUS c7bdae0ed0428ddd454 2_005.pdf.exe, C: executable 9feb3 \Users\RDhJ0CNFevzX\ AppData\Local\Temp\DF I_078_41_02_005.pdf.e xe
c: fb535c9815d52f2cebdd \users\rdhj0cnfevzx\app 8d3478cef31252116661 data\local\microsoft\wind Modified File 128 bytes application/octet-stream CLEAN d10f0d10aa77b00f6c7e ows\inetcache\counters. 16e3 dat
aafac5c83e77d89a3ffc1 C:\\ProgramData\ 48e2d35833db94dc4d0f Access, Read, Create, \841859659216477\syst Dropped File 2.01 KB text/plain CLEAN d90643ecfbc84ca9b3e6 Write, Delete em.txt, system.txt 047
6ab1e7b6d0e5c0d92af2 C:\\ProgramData\ 85d3ff2ddc7016a20e9c \841859659216477\scre Dropped File 88.18 KB image/jpeg Access, Read, Delete CLEAN 53e323ec2b532eff9338 enshot.jpg, cf78 screenshot.jpg
1ddf9ccdf8405a70cb261 C:\\ProgramData\ c09df1cafcdcf0f980e03c Access, Read, Create, \841859659216477\outl Embedded File 527 bytes text/plain CLEAN 441a841d3543b428792 Write, Delete ook.txt, outlook.txt 59
43536adef2ddcc811c28 application/ d35fa6ce3031029a2424 C:\\ProgramData\ Create, Access, Delete, Downloaded File 141.45 KB vnd.microsoft.portable- CLEAN ad393989db36169ff299 \softokn3.dll Write executable 5083
16574f51785b0e2fc29c application/ 2c61477eb47bb39f7148 C:\\ProgramData\ Create, Access, Delete, Downloaded File 630.46 KB vnd.microsoft.portable- CLEAN 29999511dc8952b43ab \sqlite3.dll Write executable 17660
a770ecba3b08bbabd0a application/ 567fc978e50615f8b346 C:\\ProgramData\ Create, Access, Delete, Downloaded File 326.45 KB vnd.microsoft.portable- CLEAN 709f8eb3cfacf3faab240 \freebl3.dll Write executable 90ba
3fe6b1c54b8cf28f571e0 application/ c5d6636b4069a8ab00b C:\\ProgramData\ Create, Access, Delete, Downloaded File 133.95 KB vnd.microsoft.portable- CLEAN 4f11dd842cfec00691d0c \mozglue.dll Write executable 9cd
334e69ac9367f708ce60 application/ 1a6f490ff227d6c20636d C:\\ProgramData\ Create, Access, Delete, Downloaded File 429.80 KB vnd.microsoft.portable- CLEAN a5222f148b25831d22e1 \msvcp140.dll Write executable 3d4
e2935b5b28550d47dc9 application/ 71f456d6961f20d1633b C:\\ProgramData\ Create, Access, Delete, Downloaded File 1216.95 KB vnd.microsoft.portable- CLEAN 4892998750140e0eaa9 \nss3.dll Write executable ae9d78
c40bb03199a2054dabfc application/ 7a8e01d6098e91de719 C:\\ProgramData\ Create, Access, Delete, Downloaded File 81.82 KB vnd.microsoft.portable- CLEAN 3619effbd0f142a7bf031 \vcruntime140.dll Write executable c14d
f6e86d4f4aa3ca96d71bf C:\\ProgramData\ fb21ffaabe7dcd86a3909 \841859659216477\_84 Access, Read, Create, Downloaded File 85.05 KB application/zip CLEAN a085612a33e1da68bd1 18596592.zip, Write, Delete ab9 _8418596592.zip
Filename
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\Desktop\DFI_078_41 Sample File Access MALICIOUS _02_005.pdf.exe
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Sample File Create, Access, Write MALICIOUS \DFI_078_41_02_005.pdf.exe
X-Ray Vision for Malware - www.vmray.com 15 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename Category Operations Verdict
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config
C:\Users\RDhJ0CNFevzX\AppData\Local Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\notpa Sample File Create, Access, Write CLEAN d.exe
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\Itself.exe
C:\\ProgramData\\softokn3.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\sqlite3.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\freebl3.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\mozglue.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\msvcp140.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\nss3.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\vcruntime140.dll Downloaded File Create, Access, Delete, Write CLEAN
C:\\ProgramData\\841859659216477 Accessed File Create, Access, Delete CLEAN
C:\\ProgramData\\841859659216477\ Accessed File Create, Access CLEAN \cookies
C:\\ProgramData\\841859659216477\\cc Accessed File Create, Access CLEAN
C:\\ProgramData\\841859659216477\\autofill Accessed File Create, Access CLEAN
C:\\ProgramData\\841859659216477\\crypto Accessed File Create, Access CLEAN
passwords.txt Accessed File Create, Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Google\\Chrome\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Chromium\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Kometa\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Amigo\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Torch\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Orbitum\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Comodo\\Dragon\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Nichrome\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Maxthon5\\Users\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Sputnik\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Epic Privacy Browser\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Vivaldi\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CocCoc\\Browser\\User Data\Local State
X-Ray Vision for Malware - www.vmray.com 16 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename Category Operations Verdict
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \uCozMedia\\Uran\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \QIP Surf\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CentBrowser\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \Elements Browser\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \TorBro\\Profile\Local State
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data\\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ Accessed File Access CLEAN \CryptoTab Browser\\User Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Local\ \BraveSoftware\\Brave-Browser\\User Accessed File Access CLEAN Data\Local State
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Opera Software\\Opera Stable\\\Local State
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Mozilla\\Firefox\\Profiles\\..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \Moonchild Productions\\Pale Moon\\Profiles\ Accessed File Access CLEAN \..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Waterfox\\Profiles\\..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \8pecxstudios\\Cyberfox\\Profiles\\..\ Accessed File Access CLEAN \profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \NETGATE Technologies\\BlackHawk\ Accessed File Access CLEAN \Profiles\\..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Mozilla\\icecat\\Profiles\\..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \K-Meleon\\..\\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ Accessed File Access CLEAN \Thunderbird\\Profiles\\..\\profiles.ini
outlook.txt Dropped File, Embedded File Create, Access, Read, Write CLEAN
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Bitcoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Ethereum\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Electrum
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Electrum-LTC
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \ElectronCash
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Exodus\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \MultiDoge\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Zcash\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \DashCore\\
X-Ray Vision for Malware - www.vmray.com 17 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename Category Operations Verdict
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Litecoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Anoncoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \BBQCoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \devcoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \digitalcoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Florincoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Franko\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Freicoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \GoldCoinGLD
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Infinitecoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \IOCoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Ixcoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Megacoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Mincoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Namecoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Primecoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \Terracoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \YACoin\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access CLEAN \jaxx\\
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\.
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\.
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\..
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\..
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\autofill
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\autofill
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\cc
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\cc
X-Ray Vision for Malware - www.vmray.com 18 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename Category Operations Verdict
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\cookies
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\cookies
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\crypto
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\crypto
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\outlook.txt
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\outlook.txt
C:\\ProgramData\\841859659216477\\crypto\ Accessed File Create, Access, Write CLEAN \jaxx\\passwords.txt
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ \com.liberty.jaxx\\IndexedDB\ Accessed File Access CLEAN \file__0.indexeddb.leveldb\\passwords.txt
system.txt Dropped File Create, Access, Write CLEAN
_8418596592.zip Downloaded File Create, Access, Read, Write CLEAN
C:\\ProgramData\\841859659216477\autofill Accessed File Access, Delete CLEAN
C:\\ProgramData\\841859659216477\cc Accessed File Access, Delete CLEAN
C:\\ProgramData\\841859659216477\cookies Accessed File Access, Delete CLEAN
C:\\ProgramData\\841859659216477\crypto Accessed File Access, Delete CLEAN
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Anoncoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\BBQCoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Bitcoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\DashCore
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\devcoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\digitalcoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\ElectronCash
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Electrum
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Electrum-LTC
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Ethereum
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Exodus
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Florincoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Franko
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Freicoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\GoldCoinGLD
X-Ray Vision for Malware - www.vmray.com 19 / 31 DYNAMIC ANALYSIS REPORT #1191526
Filename Category Operations Verdict
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Infinitecoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\IOCoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Ixcoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\jaxx
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Litecoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Megacoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Mincoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\MultiDoge
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Namecoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Primecoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Terracoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\YACoin
C:\\ProgramData\ Accessed File Access, Delete CLEAN \841859659216477\crypto\Zcash
C:\\ProgramData\ Dropped File, Embedded File Access, Read, Delete CLEAN \841859659216477\outlook.txt
C:\\ProgramData\ Accessed File Access, Read, Delete CLEAN \841859659216477\passwords.txt
C:\\ProgramData\ Dropped File Access, Read, Delete CLEAN \841859659216477\screenshot.jpg
C:\\ProgramData\ Dropped File Access, Read, Delete CLEAN \841859659216477\system.txt
C:\\ProgramData\ Downloaded File Access, Delete CLEAN \841859659216477\_8418596592.zip
URL
URL Category IP Address Country HTTP Methods Verdict
http://duiy.xyz/6.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/1.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/2.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/3.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/4.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/5.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/7.jpg 45.144.225.201 POST CLEAN
http://duiy.xyz/main.php 45.144.225.201 POST CLEAN
http://duiy.xyz 45.144.225.201 POST CLEAN
X-Ray Vision for Malware - www.vmray.com 20 / 31 DYNAMIC ANALYSIS REPORT #1191526
Domain
Domain IP Address Country Protocols Verdict
duiy.xyz 45.144.225.201 HTTP CLEAN
IP
IP Address Domains Country Protocols Verdict
45.144.225.201 duiy.xyz United States DNS, HTTP, TCP CLEAN
-
Email Address
-
Mutex
-
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft access dfi_078_41_02_005.pdf.exe CLEAN \Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft access, read, write dfi_078_41_02_005.pdf.exe CLEAN \Windows\CurrentVersion\Run\notpad
HKEY_PERFORMANCE_DATA access dfi_078_41_02_005.pdf.exe CLEAN
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000002
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000003
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows NT\\CurrentVersion\ \Windows Messaging Subsystem\\Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \Outlook\ \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003
X-Ray Vision for Malware - www.vmray.com 21 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\13.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\14.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\15.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003
HKEY_CURRENT_USER\Software\ \Microsoft\\Office\\16.0\\Outlook\\Profiles\ \Outlook\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000001
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000002
X-Ray Vision for Malware - www.vmray.com 22 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000003
HKEY_CURRENT_USER\Software\ \Microsoft\\Windows Messaging Subsystem\ \Profiles\ access dfi_078_41_02_005.pdf.exe CLEAN \9375CFF0413111d3B88A00104B2A6676\ \00000004
HKEY_LOCAL_MACHINE\SOFTWARE\ access dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Windows NT\\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows NT\ access, read dfi_078_41_02_005.pdf.exe CLEAN \CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\ access dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Microsoft\\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\HARDWARE\ \DESCRIPTION\\System\\CentralProcessor\ access dfi_078_41_02_005.pdf.exe CLEAN \0
HKEY_LOCAL_MACHINE\HARDWARE\ \DESCRIPTION\\System\\CentralProcessor\ access, read dfi_078_41_02_005.pdf.exe CLEAN \0\ProcessorNameString
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\AddressBook\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Connection Manager\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DirectDrawEx\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DXM_Runtime
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\DXM_Runtime\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\Fontcore\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE40\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE4Data
X-Ray Vision for Malware - www.vmray.com 23 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE4Data\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IE5BAKEX\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\IEData\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MobileOptionPack\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MPlayer2
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\MPlayer2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\SchedulingAgent\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\WIC\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{0FA68574-690B-4B00-89AA- B28946231449}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{13A4EE12-23EA-3371-91EE- EFB36DDFFF3E}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB21517 57
X-Ray Vision for Malware - www.vmray.com 24 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB21517 57\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB24671 73
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB24671 73\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25248 60
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25248 60\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25446 55
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25446 55\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25497 43
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25497 43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25650 63
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB25650 63\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB98257 3
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{1D8E6291- access, read dfi_078_41_02_005.pdf.exe CLEAN B0D5-35EC-8441-6616F567A0F7}.KB98257 3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{2BC3BD4D- FABA-4394-93C7-9AC82A263FE2}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{2BC3BD4D- access, read dfi_078_41_02_005.pdf.exe CLEAN FABA-4394-93C7-9AC82A263FE2}\DisplayN ame
X-Ray Vision for Malware - www.vmray.com 25 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{2BC3BD4D- access, read dfi_078_41_02_005.pdf.exe CLEAN FABA-4394-93C7-9AC82A263FE2}\DisplayV ersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d 9c2d6f}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{3c3aafc8- d898-43ec-998f-965ffdae065a}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{3c3aafc8- d898-43ec-998f-965ffdae065a}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{3c3aafc8- access, read dfi_078_41_02_005.pdf.exe CLEAN d898-43ec-998f-965ffdae065a} \DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{65e650ff-30be-469d- b63a-418d71ea1765}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{6913e92a-b64e-41c9-a5e6- cef39207fe89}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{710f4c1c- cc18-4c49-8cbf-51240c89a1a2}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{710f4c1c- access, read dfi_078_41_02_005.pdf.exe CLEAN cc18-4c49-8cbf-51240c89a1a2}\DisplayNam e
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{710f4c1c- access, read dfi_078_41_02_005.pdf.exe CLEAN cc18-4c49-8cbf-51240c89a1a2}\DisplayVersi on
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}
X-Ray Vision for Malware - www.vmray.com 26 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0000-0000-00000 00FF1CE}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{90160000-008C-0409-0000-00000 00FF1CE}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{9BE518E6- ECC6-35A9-88E4-87755C07200F}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{9BE518E6- access, read dfi_078_41_02_005.pdf.exe CLEAN ECC6-35A9-88E4-87755C07200F} \DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{9BE518E6- access, read dfi_078_41_02_005.pdf.exe CLEAN ECC6-35A9-88E4-87755C07200F} \DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {B175520C-86A2-35A7-8619-86DC379688B 9}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {BD95A8CD-1D9F-35AD-981A-3E7925026E BB}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}\DisplayName
X-Ray Vision for Malware - www.vmray.com 27 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access, read dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{ca67548a-5ebe-413a- b50c-4b9ceb6d66c6}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{e6e75766- da0f-4ba2-9788-6ea593ce702d}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{e6e75766- access, read dfi_078_41_02_005.pdf.exe CLEAN da0f-4ba2-9788-6ea593ce702d} \DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{e6e75766- access, read dfi_078_41_02_005.pdf.exe CLEAN da0f-4ba2-9788-6ea593ce702d} \DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2151757
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2151757\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2467173
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2467173\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2524860
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2524860\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2544655
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2544655\DisplayName
X-Ray Vision for Malware - www.vmray.com 28 / 31 DYNAMIC ANALYSIS REPORT #1191526
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2549743
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2549743\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2565063
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB2565063\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB982573
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\ access, read dfi_078_41_02_005.pdf.exe CLEAN {F0C3E5D1-1ADE-321E-8167-68EF0DE699 A5}.KB982573\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ access dfi_078_41_02_005.pdf.exe CLEAN \Uninstall\{F8CFEB22- A2E7-3971-9EDA-4B11EDEFC185}
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{F8CFEB22- access, read dfi_078_41_02_005.pdf.exe CLEAN A2E7-3971-9EDA-4B11EDEFC185}\DisplayN ame
HKEY_LOCAL_MACHINE\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\ \Uninstall\{F8CFEB22- access, read dfi_078_41_02_005.pdf.exe CLEAN A2E7-3971-9EDA-4B11EDEFC185}\DisplayV ersion
Process
Process Name Commandline Verdict
"C: dfi_078_41_02_005.pdf.exe \Users\RDhJ0CNFevzX\Desktop\DFI_078_41_02_005.pdf.ex SUSPICIOUS e"
C: dfi_078_41_02_005.pdf.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02 SUSPICIOUS _005.pdf.exe
notpad.exe "C:\Users\RDhJ0CNFevzX\AppData\Local\notpad.exe" SUSPICIOUS
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1264 & erase C: cmd.exe \Users\RDhJ0CNFevzX\AppData\Local\Temp\DFI_078_41_02 CLEAN _005.pdf.exe & RD /S /Q C:\\ProgramData\ \841859659216477\\* & exit
X-Ray Vision for Malware - www.vmray.com 29 / 31 DYNAMIC ANALYSIS REPORT #1191526
YARA / AV
No YARA or AV matches available.
X-Ray Vision for Malware - www.vmray.com 30 / 31 DYNAMIC ANALYSIS REPORT #1191526
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-04-21 14:31:11+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 31 / 31