Analysis Report K409476485-03032021000.pdf.exe

Overview

General Information

Sample Name: K409476485-03032021000.pdf.exe
Analysis ID: 361816
MD5: 88ff54784a623dcd43bb8c22491a5398
SHA1: 873bb1426e0863be86a1df2d94ab33d8ac340d48
SHA256: 93aacab7e09044795808ad1a0256c015271653ab0fe9d62785800c0f19ef1ad8
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: K409476485-03032021000.pdf.exe.7072.3.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for submitted file
Source: K409476485-03032021000.pdf.exe Virustotal: Detection: 37% Perma Link
Source: K409476485-03032021000.pdf.exe ReversingLabs: Detection: 19%
Machine Learning detection for sample
Source: K409476485-03032021000.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Unpacked PE file: 1.2.K409476485-03032021000.pdf.exe.260000.0.unpack
Uses 32bit PE files
Source: K409476485-03032021000.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: K409476485-03032021000.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe

Spreading:

barindex
May infect USB drives
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 1_2_04CA6494
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CA6494
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 1_2_04CA64A0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CA64A0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then xor edx, edx 1_2_04CA66EC
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then xor edx, edx 1_2_04CA66F8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 1_2_04CA6BC0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CA6BC0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 1_2_04CA6BB4
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_04CA6BB4
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CA5D78
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_04CA5FBC
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FBFE8A
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then call 0543A6E8h 3_2_05FDA45A
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDA45A
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then call 0543A6E8h 3_2_05FD9C10
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FD9C10
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDA71F
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FD26D9
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDB123
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FD2835
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FD2B99
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then call 0543A6E8h 3_2_05FDA370
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDA370
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FD326B
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDAA44
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05FDB20D
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_080F0326
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_080F018F

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49730 -> 103.27.200.199:21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49731 -> 103.27.200.199:35243
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.27.200.199 103.27.200.199
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
Uses FTP
Source: unknown FTP traffic detected: 103.27.200.199:21 -> 192.168.2.6:49730 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmp String found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmp String found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: unknown DNS traffic detected: queries for: 10.76.9.0.in-addr.arpa
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.339668576.0000000006003000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.337044965.000000000603E000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comKo
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.337965083.000000000603E000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.como
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmp String found in binary or memory: http://ftp.triplelink.co.th
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comL
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comQ
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comn-u
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comn-un
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com-gn
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers$
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348081975.000000000600D000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000003.345282412.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.345282412.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFe
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comT.TTFJ
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comX
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comae
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348081975.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdkoX
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comepkoW
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed=
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comion
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comlic
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comoitu
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336579575.00000000014CB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comnd
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.339668576.0000000006003000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnd
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.344221992.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-usX
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/J
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.344221992.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l-gn
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: vbc.exe, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336106778.000000000603E000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336106778.000000000603E000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com5
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336603366.000000000603E000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comg
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.335457848.00000000014CB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coml
Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 00000007.00000003.378592469.00000000020FC000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 6_2_0040AC8A

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: K409476485-03032021000.pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD89A0 NtSetContextThread, 3_2_05FD89A0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD8994 NtWriteVirtualMemory, 3_2_05FD8994
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD897C NtResumeThread, 3_2_05FD897C
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDF778 NtWriteVirtualMemory, 3_2_05FDF778
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDF618 NtResumeThread, 3_2_05FDF618
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD89B8 NtResumeThread, 3_2_05FD89B8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD89AC NtSetContextThread, 3_2_05FD89AC
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD8964 NtResumeThread, 3_2_05FD8964
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD8958 NtSetContextThread, 3_2_05FD8958
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD894C NtSetContextThread, 3_2_05FD894C
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD8940 NtWriteVirtualMemory, 3_2_05FD8940
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD8928 NtResumeThread, 3_2_05FD8928
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDF830 NtSetContextThread, 3_2_05FDF830
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Detected potential crypto function
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA81A8 1_2_04CA81A8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA81B8 1_2_04CA81B8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA0AF3 1_2_04CA0AF3
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA0B00 1_2_04CA0B00
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA7378 1_2_04CA7378
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CA7370 1_2_04CA7370
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_04CADF88 1_2_04CADF88
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_07EB62C0 1_2_07EB62C0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_07EBA028 1_2_07EBA028
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FBBDB0 3_2_05FBBDB0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FBB4E0 3_2_05FBB4E0
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FBEEC8 3_2_05FBEEC8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FBB198 3_2_05FBB198
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FB0006 3_2_05FB0006
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDB540 3_2_05FDB540
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDBD32 3_2_05FDBD32
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FDEC50 3_2_05FDEC50
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD9C20 3_2_05FD9C20
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD3BE8 3_2_05FD3BE8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD2BA8 3_2_05FD2BA8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD6B20 3_2_05FD6B20
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD22B8 3_2_05FD22B8
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD9C10 3_2_05FD9C10
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD3BD7 3_2_05FD3BD7
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD22A9 3_2_05FD22A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404DDB 6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040BD8A 6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404E4C 6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404EBD 6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404F4E 6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404419 7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404516 7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00413538 7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004145A1 7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040E639 7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004337AF 7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004399B1 7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0043DAE7 7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00405CF6 7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403F85 7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411F99 7_2_00411F99
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
PE file contains strange resources
Source: K409476485-03032021000.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: K409476485-03032021000.pdf.exe Binary or memory string: OriginalFilename vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.332035385.00000000003A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCallerLineNumberAttribute.exe6 vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.343990844.0000000007DF0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe Binary or memory string: OriginalFilename vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589462153.0000000000972000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCallerLineNumberAttribute.exe6 vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589409174.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs K409476485-03032021000.pdf.exe
Source: K409476485-03032021000.pdf.exe Binary or memory string: OriginalFilenameCallerLineNumberAttribute.exe6 vs K409476485-03032021000.pdf.exe
Uses 32bit PE files
Source: K409476485-03032021000.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.598275210.0000000007D30000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.598580548.00000000085C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.7d30000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.85c0000.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.2db0cb4.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: K409476485-03032021000.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'O6ZQ7J5ocLxf6RhQQpNSk/JzuZPUi9E0JuztOnaE/Qd705fOtAkyZW1GYthg8J6YkNuszS5M9pYlCk2wrogMRg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@7/4@2/1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 7_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 7_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 7_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource, 6_2_0040ED0B
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K409476485-03032021000.pdf.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File created: C:\Users\user\AppData\Local\Temp\holdermail.txt Jump to behavior
Source: K409476485-03032021000.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: K409476485-03032021000.pdf.exe Virustotal: Detection: 37%
Source: K409476485-03032021000.pdf.exe ReversingLabs: Detection: 19%
Source: unknown Process created: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe 'C:\Users\user\Desktop\K409476485-03032021000.pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe C:\Users\user\Desktop\K409476485-03032021000.pdf.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: K409476485-03032021000.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: K409476485-03032021000.pdf.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: K409476485-03032021000.pdf.exe Static file information: File size 1488384 > 1048576
Source: K409476485-03032021000.pdf.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13fe00
Source: K409476485-03032021000.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Unpacked PE file: 1.2.K409476485-03032021000.pdf.exe.260000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Unpacked PE file: 1.2.K409476485-03032021000.pdf.exe.260000.0.unpack
.NET source code contains potential unpacker
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xC9509DF1 [Sun Jan 10 11:28:49 2077 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 6_2_00403C3D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_07EB407F push cs; retf 1_2_07EB4085
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 1_2_07EB3C36 push eax; iretd 1_2_07EB3C37
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD05B0 pushfd ; retf 3_2_05FD05B9
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Code function: 3_2_05FD4B7A pushad ; retf 3_2_05FD4B81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00411879 push ecx; ret 6_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442871 push ecx; ret 7_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00446E54 push eax; ret 7_2_00446E61
Source: initial sample Static PE information: section name: .text entropy: 7.86302896001

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: K409476485-03032021000.pdf.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040F64B
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 6960, type: MEMORY
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.2862894.1.raw.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Window / User API: threadDelayed 445 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 6964 Thread sleep time: -99589s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 7028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 6148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 5756 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 5220 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 5216 Thread sleep time: -89000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe TID: 6528 Thread sleep time: -180000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004161B0 memset,GetSystemInfo, 7_2_004161B0
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: vmware
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 6_2_00403C3D
Enables debug privileges
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590727552.00000000016D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590727552.00000000016D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590727552.00000000016D0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590727552.00000000016D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 7_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 6_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406278 GetVersionExA, 6_2_00406278
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597712341.000000000761F000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.593126682.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.375467780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5752, type: MEMORY
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.3d79930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.3d79930.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 6_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.593126682.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6324, type: MEMORY
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.3d79930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.3d91b50.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.3d91b50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmp String found in binary or memory: l@HawkEye_Keylogger_Stealer_Records_609290 3.3.2021 9:01:04 AM.txt
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmp String found in binary or memory: l[ftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_609290 3.3.2021 9:01:04 AM.txt
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmp String found in binary or memory: ftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_609290%203.3.2021%209:01:04%20AM.txt
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmp String found in binary or memory: laftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_609290%203.3.2021%209:01:04%20AM.txt
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591739731.0000000003043000.00000004.00000001.sdmp String found in binary or memory: l@HawkEye_Keylogger_Stealer_Records_609290 3.3.2021 9:01:04 AM.txtP
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591739731.0000000003043000.00000004.00000001.sdmp String found in binary or memory: lGSTOR HawkEye_Keylogger_Stealer_Records_609290 3.3.2021 9:01:04 AM.txt
Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591739731.0000000003043000.00000004.00000001.sdmp String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_609290 3.3.2021 9:01:04 AM.txt
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 361816 Sample: K409476485-03032021000.pdf.exe Startdate: 03/03/2021 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 15 other signatures 2->32 7 K409476485-03032021000.pdf.exe 3 2->7         started        process3 file4 20 C:\...\K409476485-03032021000.pdf.exe.log, ASCII 7->20 dropped 34 Detected unpacking (changes PE section rights) 7->34 36 Detected unpacking (overwrites its own PE header) 7->36 38 Injects a PE file into a foreign processes 7->38 11 K409476485-03032021000.pdf.exe 15 4 7->11         started        signatures5 process6 dnsIp7 22 ftp.triplelink.co.th 103.27.200.199, 21, 35243, 49730 BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH Thailand 11->22 24 10.76.9.0.in-addr.arpa 11->24 40 Changes the view of files in windows explorer (hidden files and folders) 11->40 42 Writes to foreign memory regions 11->42 44 Sample uses process hollowing technique 11->44 46 Injects a PE file into a foreign processes 11->46 15 vbc.exe 1 11->15         started        18 vbc.exe 13 11->18         started        signatures8 process9 signatures10 48 Tries to steal Mail credentials (via file registry) 15->48 50 Tries to steal Instant Messenger accounts or passwords 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 18->54
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.27.200.199
unknown Thailand
58955 BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH true

Contacted Domains

Name IP Active
ftp.triplelink.co.th 103.27.200.199 true
10.76.9.0.in-addr.arpa unknown unknown