Analysis Report INQUIRY 1820521 pdf.exe

Overview

General Information

Sample Name:	INQUIRY 1820521 pdf.exe
Analysis ID:	385289
MD5:	dd3ae15e952c239ae6d87c8374b3b460
SHA1:	f8d9daceb3ff1dadabf9051a04bb4356c370fbde
SHA256:	513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.auggiepaws.com/gnk/"], "decoy": ["fotografialove.com", "drphoenixnguyen.com", "pueblobusinessreview.com", "voteorrall.com", "sailde.com", "active-label.com", "geteless.com", "aperfectbrow.com", "interdictrisk.com", "sakaisays.com", "wyshio.com", "nilantika.com", "landbirdevehicals.com", "vd-bill.com", "ourblingstore.com", "dennites.xyz", "styleformen.online", "adjustedhuman.com", "soglasi.com", "abarroteslacanasta.com", "ylsjsj.com", "carrieroerealtor.com", "2739kingsroad.com", "farmersmeadow.com", "domokoi.com", "lownak.com", "extrarenda.com", "watchcure.com", "yrzx61.com", "boon-bliss.com", "xinghai-nb.com", "perencanaan.net", "queenbeadsandcrafts.com", "capitalcourierltd.online", "yoopadoop.com", "crlspn.com", "sxpyx.com", "rva80s.com", "fuelupllc.com", "mobcitylabs.com", "madebyhidden.com", "bazmemohsin.com", "gosvozvrat-nds.xyz", "rescueranchaz.com", "hhcuerkn.com", "maginames.com", "avkulrestaurant.com", "autofestva.com", "lifeprotectionexpert.com", "shakamaui.com", "demo-berlin.com", "namigweart.com", "thesimpleau.com", "cmchickengt.com", "yourofficespot.com", "areyssg.com", "shanscorp.com", "cozywag.com", "shrikrishnasevasenai.com", "homartist.net", "ferreteriablanco.com", "xczg99999.com", "studyabroadguatemala.com", "britishvapecompany.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	Metadefender: Detection: 13%			Perma Link
Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: INQUIRY 1820521 pdf.exe	Virustotal: Detection: 39%	Perma Link
Source: INQUIRY 1820521 pdf.exe	Metadefender: Detection: 13%	Perma Link
Source: INQUIRY 1820521 pdf.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: INQUIRY 1820521 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: INQUIRY 1820521 pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY 1820521 pdf.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 4x nop then pop esi	9_2_004172EA
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 4x nop then pop edi	9_2_00416C96
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop esi	16_2_00A172EA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	16_2_00A16C96

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.auggiepaws.com/gnk/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.185.159.144 198.185.159.144

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP

Source: C:\Windows\explorer.exe

Code function: 10_2_04DFB782 getaddrinfo,setsockopt,recv,

10_2_04DFB782

Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.hhcuerkn.com

Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: INQUIRY 1820521 pdf.exe	String found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
Source: explorer.exe, 0000000A.00000002.909308759.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com11
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCV
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come7
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coms-c
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651191297.000000000868E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn0A
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnCg
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnD
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnP
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647266371.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-e
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c~
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-e
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krs-cz
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651699352.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.5;M
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comTZ
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.coms
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%22xinghai-nb.com%22
Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.sogou.com/web?query=%22xinghai-nb.com%22&ie=utf8

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419D60 NtCreateFile,	9_2_00419D60
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E10 NtReadFile,	9_2_00419E10
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E90 NtClose,	9_2_00419E90
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419F40 NtAllocateVirtualMemory,	9_2_00419F40
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419D5E NtCreateFile,	9_2_00419D5E
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E8C NtClose,	9_2_00419E8C
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419F3A NtAllocateVirtualMemory,	9_2_00419F3A
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01579910
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015799A0 NtCreateSection,LdrInitializeThunk,	9_2_015799A0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579840 NtDelayExecution,LdrInitializeThunk,	9_2_01579840
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01579860
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015798F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_015798F0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A50 NtCreateFile,LdrInitializeThunk,	9_2_01579A50
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01579A00
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A20 NtResumeThread,LdrInitializeThunk,	9_2_01579A20
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579540 NtReadFile,LdrInitializeThunk,	9_2_01579540
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015795D0 NtClose,LdrInitializeThunk,	9_2_015795D0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579710 NtQueryInformationToken,LdrInitializeThunk,	9_2_01579710
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579780 NtMapViewOfSection,LdrInitializeThunk,	9_2_01579780
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015797A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_015797A0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01579660
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015796E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_015796E0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579950 NtQueueApcThread,	9_2_01579950
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015799D0 NtCreateProcessEx,	9_2_015799D0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157B040 NtSuspendThread,	9_2_0157B040
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579820 NtEnumerateKey,	9_2_01579820
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015798A0 NtWriteVirtualMemory,	9_2_015798A0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579B00 NtSetValueKey,	9_2_01579B00
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A3B0 NtGetContextThread,	9_2_0157A3B0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A10 NtQuerySection,	9_2_01579A10
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A80 NtOpenDirectoryObject,	9_2_01579A80
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579560 NtWriteFile,	9_2_01579560
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157AD30 NtSetContextThread,	9_2_0157AD30
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579520 NtWaitForSingleObject,	9_2_01579520
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015795F0 NtQueryInformationFile,	9_2_015795F0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A770 NtOpenThread,	9_2_0157A770
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579770 NtSetInformationFile,	9_2_01579770
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579760 NtOpenProcess,	9_2_01579760
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A710 NtOpenProcessToken,	9_2_0157A710
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579730 NtQueryVirtualMemory,	9_2_01579730
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579FE0 NtCreateMutant,	9_2_01579FE0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579650 NtQueryValueKey,	9_2_01579650
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579670 NtQueryInformationProcess,	9_2_01579670
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579610 NtEnumerateValueKey,	9_2_01579610
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015796D0 NtCreateKey,	9_2_015796D0
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFAA32 NtCreateFile,	10_2_04DFAA32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9710 NtQueryInformationToken,LdrInitializeThunk,	16_2_032B9710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9780 NtMapViewOfSection,LdrInitializeThunk,	16_2_032B9780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9FE0 NtCreateMutant,LdrInitializeThunk,	16_2_032B9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A50 NtCreateFile,LdrInitializeThunk,	16_2_032B9A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_032B96E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B96D0 NtCreateKey,LdrInitializeThunk,	16_2_032B96D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_032B9910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9540 NtReadFile,LdrInitializeThunk,	16_2_032B9540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B99A0 NtCreateSection,LdrInitializeThunk,	16_2_032B99A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B95D0 NtClose,LdrInitializeThunk,	16_2_032B95D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_032B9860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9840 NtDelayExecution,LdrInitializeThunk,	16_2_032B9840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9730 NtQueryVirtualMemory,	16_2_032B9730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9B00 NtSetValueKey,	16_2_032B9B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA710 NtOpenProcessToken,	16_2_032BA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9760 NtOpenProcess,	16_2_032B9760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9770 NtSetInformationFile,	16_2_032B9770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA770 NtOpenThread,	16_2_032BA770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B97A0 NtUnmapViewOfSection,	16_2_032B97A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA3B0 NtGetContextThread,	16_2_032BA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A20 NtResumeThread,	16_2_032B9A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A00 NtProtectVirtualMemory,	16_2_032B9A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A10 NtQuerySection,	16_2_032B9A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9610 NtEnumerateValueKey,	16_2_032B9610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9660 NtAllocateVirtualMemory,	16_2_032B9660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9670 NtQueryInformationProcess,	16_2_032B9670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9650 NtQueryValueKey,	16_2_032B9650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A80 NtOpenDirectoryObject,	16_2_032B9A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9520 NtWaitForSingleObject,	16_2_032B9520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BAD30 NtSetContextThread,	16_2_032BAD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9560 NtWriteFile,	16_2_032B9560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9950 NtQueueApcThread,	16_2_032B9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B95F0 NtQueryInformationFile,	16_2_032B95F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B99D0 NtCreateProcessEx,	16_2_032B99D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9820 NtEnumerateKey,	16_2_032B9820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BB040 NtSuspendThread,	16_2_032BB040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B98A0 NtWriteVirtualMemory,	16_2_032B98A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B98F0 NtReadVirtualMemory,	16_2_032B98F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19D60 NtCreateFile,	16_2_00A19D60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E90 NtClose,	16_2_00A19E90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E10 NtReadFile,	16_2_00A19E10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19D5E NtCreateFile,	16_2_00A19D5E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E8C NtClose,	16_2_00A19E8C

Detected potential crypto function

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01592140	0_2_01592140
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590470	0_2_01590470
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590FD0	0_2_01590FD0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159EE68	0_2_0159EE68
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593078	0_2_01593078
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01591779	0_2_01591779
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159BF40	0_2_0159BF40
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01594AD8	0_2_01594AD8
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01594AC9	0_2_01594AC9
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01592F78	0_2_01592F78
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590F72	0_2_01590F72
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590F29	0_2_01590F29
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590ED1	0_2_01590ED1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595148	0_2_01595148
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595139	0_2_01595139
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595359	0_2_01595359
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595368	0_2_01595368
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595610	0_2_01595610
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595600	0_2_01595600
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593F48	0_2_01593F48
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593F38	0_2_01593F38
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159BF30	0_2_0159BF30
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05673794	0_2_05673794
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05679BC0	0_2_05679BC0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_056701F0	0_2_056701F0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_056737E7	0_2_056737E7
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05673788	0_2_05673788
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00401029	9_2_00401029
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00409E40	9_2_00409E40
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00409E3B	9_2_00409E3B
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153F900	9_2_0153F900
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120	9_2_01554120
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160E824	9_2_0160E824
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1002	9_2_015F1002
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016028EC	9_2_016028EC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B090	9_2_0154B090
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016020A8	9_2_016020A8
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0	9_2_015620A0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602B28	9_2_01602B28
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FDBD2	9_2_015FDBD2
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156EBB0	9_2_0156EBB0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016022AE	9_2_016022AE
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01601D55	9_2_01601D55
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602D07	9_2_01602D07
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01530D20	9_2_01530D20
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154D5E0	9_2_0154D5E0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016025DD	9_2_016025DD
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581	9_2_01562581
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FD466	9_2_015FD466
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154841F	9_2_0154841F
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01601FF1	9_2_01601FF1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FD616	9_2_015FD616
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01556E30	9_2_01556E30
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602EF7	9_2_01602EF7
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFAA32	10_2_04DFAA32
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF2CF2	10_2_04DF2CF2
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF2CEC	10_2_04DF2CEC
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF1072	10_2_04DF1072
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFDA6F	10_2_04DFDA6F
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF1069	10_2_04DF1069
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF9862	10_2_04DF9862
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF5B1F	10_2_04DF5B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFDB0E	10_2_04DFDB0E
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF8132	10_2_04DF8132
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF5B22	10_2_04DF5B22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342B28	16_2_03342B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AEBB0	16_2_032AEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03341FF1	16_2_03341FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333DBD2	16_2_0333DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03296E30	16_2_03296E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033422AE	16_2_033422AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342EF7	16_2_03342EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03270D20	16_2_03270D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120	16_2_03294120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327F900	16_2_0327F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342D07	16_2_03342D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03341D55	16_2_03341D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581	16_2_032A2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328D5E0	16_2_0328D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331002	16_2_03331002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328841F	16_2_0328841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A20A0	16_2_032A20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033420A8	16_2_033420A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B090	16_2_0328B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02D87	16_2_00A02D87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02D90	16_2_00A02D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A09E3B	16_2_00A09E3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A09E40	16_2_00A09E40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02FB0	16_2_00A02FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0327B150 appears 35 times
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: String function: 0153B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000000.643263157.0000000000D52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690617159.000000000B6A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688107123.0000000009F10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690816411.0000000012120000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000006.00000000.674971623.0000000000392000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000007.00000000.675957885.00000000000A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000008.00000000.677042665.00000000001D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000000.678299200.0000000000942000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.728306510.00000000017BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727314494.0000000001437000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe

Uses 32bit PE files

Source: INQUIRY 1820521 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: INQUIRY 1820521 pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: YAhcdYrYHFkNNf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/4@3/3

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File created: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\EzfyYQgyGpxJcXHkudBezpt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_00D527CF push 00000052h; iretd	0_2_00D527DF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_00D5269E push ds; iretd	0_2_00D526AC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 6_2_0039269E push ds; iretd	6_2_003926AC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 6_2_003927CF push 00000052h; iretd	6_2_003927DF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 7_2_000A269E push ds; iretd	7_2_000A26AC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 7_2_000A27CF push 00000052h; iretd	7_2_000A27DF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 8_2_001D269E push ds; iretd	8_2_001D26AC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 8_2_001D27CF push 00000052h; iretd	8_2_001D27DF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0040CBD4 push ds; iretd	9_2_0040CBDF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CEB5 push eax; ret	9_2_0041CF08
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF6C push eax; ret	9_2_0041CF72
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF02 push eax; ret	9_2_0041CF08
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF0B push eax; ret	9_2_0041CF72
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CFBA push eax; ret	9_2_0041CF72
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0094269E push ds; iretd	9_2_009426AC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_009427CF push 00000052h; iretd	9_2_009427DF
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0158D0D1 push ecx; ret	9_2_0158D0E4
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFE3E6 pushad ; ret	10_2_04DFE3E7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032CD0D1 push ecx; ret	16_2_032CD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A0CBD4 push ds; iretd	16_2_00A0CBDF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CEB5 push eax; ret	16_2_00A1CF08
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CFBA push eax; ret	16_2_00A1CF72
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF02 push eax; ret	16_2_00A1CF08
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF0B push eax; ret	16_2_00A1CF72
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF6C push eax; ret	16_2_00A1CF72

Source: initial sample	Static PE information: section name: .text entropy: 7.49655840913
Source: initial sample	Static PE information: section name: .text entropy: 7.49655840913

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY 1820521 pdf.exe PID: 6928, type: MEMORY

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000A098E4 second address: 0000000000A098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000A09B5E second address: 0000000000A09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6932	Thread sleep time: -100694s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4200	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6828	Thread sleep time: -55000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread delayed: delay time: 100694			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.697754798.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690336891.000000000B5A7000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA;\|Y
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000002.917434939.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000000.702010106.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.hhcuerkn.com
Source: C:\Windows\explorer.exe	Network Connect: 210.152.87.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xinghai-nb.com
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mobcitylabs.com

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424			Jump to behavior

Source: explorer.exe, 0000000A.00000000.683281450.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.921124945.0000000005E50000.00000004.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Analysis Report INQUIRY 1820521 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.82.58	www.xinghai-nb.com	United States	13335	CLOUDFLARENETUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
210.152.87.233	hhcuerkn.com	Japan	4694	IDCFIDCFrontierIncJP	true

Name	Malicious	Antivirus Detection	Reputation
http://www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT	true	Avira URL Cloud: safe	unknown
http://www.hhcuerkn.com/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0	true	Avira URL Cloud: safe	unknown
www.auggiepaws.com/gnk/	true	Avira URL Cloud: safe	low
http://www.xinghai-nb.com/gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0	true	Avira URL Cloud: safe	unknown

ID:	385289
Product:	CloudBasic
Start time:	09:41:19
Start date:	12.04.2021
Sample:	INQUIRY 1820521 pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dd3ae15e952c239ae6d87c8374b3b460
SHA1:	f8d9daceb3ff1dadabf9051a04bb4356c370fbde
SHA256:	513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY 1820521 pdf.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp7085.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	FF62EF076287CFB81F8ED2C5EF6F9231	2C615B6431D0EA97DC0E72ABD637E4BD45B85E3E	1744396F535974D7DF009A067FDCB0D34C03B44A10BD8FF3C3877F2D1AC74EF5
C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DD3AE15E952C239AE6D87C8374B3B460	F8D9DACEB3FF1DADABF9051A04BB4356C370FBDE	513357BE2837BB1211C3FE2A32D7E6CDECF75F6CF0DA1C2F0D198A38E3CDB759
C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309