Analysis Report Inquiry_10_05_2021,pdf.exe

Overview

General Information

Sample Name:	Inquiry_10_05_2021,pdf.exe
Analysis ID:	411852
MD5:	d394a8c0a37bcdaf432b2882714c6eba
SHA1:	52d386445e50600a920f16692bbf30829d08932c
SHA256:	3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Metadefender: Detection: 32%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	ReversingLabs: Detection: 53%

Multi AV Scanner detection for submitted file

Source: Inquiry_10_05_2021,pdf.exe	Metadefender: Detection: 32%			Perma Link
Source: Inquiry_10_05_2021,pdf.exe	ReversingLabs: Detection: 53%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Inquiry_10_05_2021,pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Inquiry_10_05_2021,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Inquiry_10_05_2021,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.353153104.0000000009B40000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Inquiry_10_05_2021,pdf.exe, 0000000D.00000002.393048414.00000000012A0000.00000040.00000001.sdmp, cmmon32.exe, 00000015.00000002.466300400.00000000052EF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Inquiry_10_05_2021,pdf.exe, cmmon32.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.353153104.0000000009B40000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.werealestatephotography.com/hw6d/

Source: unknown

DNS traffic detected: queries for: www.qiqihao.site

Source: explorer.exe, 0000000E.00000002.475689345.0000000004DF3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.328996100.000000000397E000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.327976941.0000000002814000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333247241.0000000006A22000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.352497565.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.328996100.000000000397E000.00000004.00000001.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.328996100.000000000397E000.00000004.00000001.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_004181B0 NtCreateFile,	13_2_004181B0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00418260 NtReadFile,	13_2_00418260
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_004182E0 NtClose,	13_2_004182E0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00418390 NtAllocateVirtualMemory,	13_2_00418390
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_004181AA NtCreateFile,	13_2_004181AA
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_004182DA NtClose,	13_2_004182DA
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_01309910
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013099A0 NtCreateSection,LdrInitializeThunk,	13_2_013099A0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01309860
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309840 NtDelayExecution,LdrInitializeThunk,	13_2_01309840
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk,	13_2_013098F0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309A20 NtResumeThread,LdrInitializeThunk,	13_2_01309A20
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk,	13_2_01309A00
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309A50 NtCreateFile,LdrInitializeThunk,	13_2_01309A50
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309540 NtReadFile,LdrInitializeThunk,	13_2_01309540
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013095D0 NtClose,LdrInitializeThunk,	13_2_013095D0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309710 NtQueryInformationToken,LdrInitializeThunk,	13_2_01309710
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_013097A0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309780 NtMapViewOfSection,LdrInitializeThunk,	13_2_01309780
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309FE0 NtCreateMutant,LdrInitializeThunk,	13_2_01309FE0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_01309660
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_013096E0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309950 NtQueueApcThread,	13_2_01309950
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013099D0 NtCreateProcessEx,	13_2_013099D0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309820 NtEnumerateKey,	13_2_01309820
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0130B040 NtSuspendThread,	13_2_0130B040
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013098A0 NtWriteVirtualMemory,	13_2_013098A0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309B00 NtSetValueKey,	13_2_01309B00
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0130A3B0 NtGetContextThread,	13_2_0130A3B0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309A10 NtQuerySection,	13_2_01309A10
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309A80 NtOpenDirectoryObject,	13_2_01309A80
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0130AD30 NtSetContextThread,	13_2_0130AD30
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309520 NtWaitForSingleObject,	13_2_01309520
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309560 NtWriteFile,	13_2_01309560
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013095F0 NtQueryInformationFile,	13_2_013095F0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309730 NtQueryVirtualMemory,	13_2_01309730
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0130A710 NtOpenProcessToken,	13_2_0130A710
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0130A770 NtOpenThread,	13_2_0130A770
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309770 NtSetInformationFile,	13_2_01309770
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309760 NtOpenProcess,	13_2_01309760
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309610 NtEnumerateValueKey,	13_2_01309610
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309670 NtQueryInformationProcess,	13_2_01309670
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01309650 NtQueryValueKey,	13_2_01309650
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013096D0 NtCreateKey,	13_2_013096D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239910 NtAdjustPrivilegesToken,LdrInitializeThunk,	21_2_05239910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239540 NtReadFile,LdrInitializeThunk,	21_2_05239540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052399A0 NtCreateSection,LdrInitializeThunk,	21_2_052399A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052395D0 NtClose,LdrInitializeThunk,	21_2_052395D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239860 NtQuerySystemInformation,LdrInitializeThunk,	21_2_05239860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239840 NtDelayExecution,LdrInitializeThunk,	21_2_05239840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239710 NtQueryInformationToken,LdrInitializeThunk,	21_2_05239710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239780 NtMapViewOfSection,LdrInitializeThunk,	21_2_05239780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239FE0 NtCreateMutant,LdrInitializeThunk,	21_2_05239FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239660 NtAllocateVirtualMemory,LdrInitializeThunk,	21_2_05239660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239A50 NtCreateFile,LdrInitializeThunk,	21_2_05239A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239650 NtQueryValueKey,LdrInitializeThunk,	21_2_05239650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052396E0 NtFreeVirtualMemory,LdrInitializeThunk,	21_2_052396E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052396D0 NtCreateKey,LdrInitializeThunk,	21_2_052396D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239520 NtWaitForSingleObject,	21_2_05239520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0523AD30 NtSetContextThread,	21_2_0523AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239560 NtWriteFile,	21_2_05239560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239950 NtQueueApcThread,	21_2_05239950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052395F0 NtQueryInformationFile,	21_2_052395F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052399D0 NtCreateProcessEx,	21_2_052399D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239820 NtEnumerateKey,	21_2_05239820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0523B040 NtSuspendThread,	21_2_0523B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052398A0 NtWriteVirtualMemory,	21_2_052398A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052398F0 NtReadVirtualMemory,	21_2_052398F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239730 NtQueryVirtualMemory,	21_2_05239730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239B00 NtSetValueKey,	21_2_05239B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0523A710 NtOpenProcessToken,	21_2_0523A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239760 NtOpenProcess,	21_2_05239760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239770 NtSetInformationFile,	21_2_05239770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0523A770 NtOpenThread,	21_2_0523A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052397A0 NtUnmapViewOfSection,	21_2_052397A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0523A3B0 NtGetContextThread,	21_2_0523A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239A20 NtResumeThread,	21_2_05239A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239A00 NtProtectVirtualMemory,	21_2_05239A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239610 NtEnumerateValueKey,	21_2_05239610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239A10 NtQuerySection,	21_2_05239A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239670 NtQueryInformationProcess,	21_2_05239670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05239A80 NtOpenDirectoryObject,	21_2_05239A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03288390 NtAllocateVirtualMemory,	21_2_03288390
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03288260 NtReadFile,	21_2_03288260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_032882E0 NtClose,	21_2_032882E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_032881B0 NtCreateFile,	21_2_032881B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_032882DA NtClose,	21_2_032882DA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_032881AA NtCreateFile,	21_2_032881AA

Detected potential crypto function

Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Code function: 0_2_00C7E2AA	0_2_00C7E2AA
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Code function: 0_2_00C7E2B0	0_2_00C7E2B0
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Code function: 0_2_00C7C30C	0_2_00C7C30C
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Code function: 0_2_075E1388	0_2_075E1388
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00401030	13_2_00401030
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00408C4B	13_2_00408C4B
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00408C50	13_2_00408C50
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041BC56	13_2_0041BC56
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041B496	13_2_0041B496
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041CD31	13_2_0041CD31
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00402D87	13_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00402D90	13_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00402FB0	13_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012E4120	13_2_012E4120
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012CF900	13_2_012CF900
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01381002	13_2_01381002
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012F20A0	13_2_012F20A0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013920A8	13_2_013920A8
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012DB090	13_2_012DB090
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013928EC	13_2_013928EC
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01392B28	13_2_01392B28
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012FEBB0	13_2_012FEBB0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0138DBD2	13_2_0138DBD2
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013922AE	13_2_013922AE
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012C0D20	13_2_012C0D20
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01392D07	13_2_01392D07
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01391D55	13_2_01391D55
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012F2581	13_2_012F2581
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012DD5E0	13_2_012DD5E0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_013925DD	13_2_013925DD
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012D841F	13_2_012D841F
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0138D466	13_2_0138D466
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01391FF1	13_2_01391FF1
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_012E6E30	13_2_012E6E30
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0138D616	13_2_0138D616
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_01392EF7	13_2_01392EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05214120	21_2_05214120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_051FF900	21_2_051FF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C2D07	21_2_052C2D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_051F0D20	21_2_051F0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C1D55	21_2_052C1D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05222581	21_2_05222581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0520D5E0	21_2_0520D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C25DD	21_2_052C25DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052B1002	21_2_052B1002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0520841F	21_2_0520841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052220A0	21_2_052220A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C20A8	21_2_052C20A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0520B090	21_2_0520B090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C28EC	21_2_052C28EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C2B28	21_2_052C2B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0522EBB0	21_2_0522EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C1FF1	21_2_052C1FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052BDBD2	21_2_052BDBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_05216E30	21_2_05216E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C22AE	21_2_052C22AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_052C2EF7	21_2_052C2EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03272FB0	21_2_03272FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328CD31	21_2_0328CD31
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03272D87	21_2_03272D87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03272D90	21_2_03272D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03278C4B	21_2_03278C4B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03278C50	21_2_03278C50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328B496	21_2_0328B496

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: String function: 012CB150 appears 35 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 051FB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Inquiry_10_05_2021,pdf.exe	Binary or memory string: OriginalFilename vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDggcokarg.dll" vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.328996100.000000000397E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000002.333927705.0000000006F00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe, 00000000.00000003.324453096.00000000073E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIrqoouoq.exe< vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe	Binary or memory string: OriginalFilename vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe, 0000000D.00000002.393459524.000000000154F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Inquiry_10_05_2021,pdf.exe
Source: Inquiry_10_05_2021,pdf.exe	Binary or memory string: OriginalFilenameIrqoouoq.exe< vs Inquiry_10_05_2021,pdf.exe

Uses 32bit PE files

Source: Inquiry_10_05_2021,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.329149948.0000000003A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.463820601.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.328783834.00000000037D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.463320997.0000000003270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.328847245.000000000386E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.463935334.0000000003510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.392435826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.392729225.0000000000C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.328240255.0000000002995000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.392783029.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.Inquiry_10_05_2021,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Inquiry_10_05_2021,pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Inquiry_10_05_2021,pdf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/3@3/0

Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry_10_05_2021,pdf.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe 'C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe'
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe'	Jump to behavior

Source: Inquiry_10_05_2021,pdf.exe.0.dr, u0006u001du000f/u0007.cs	.Net Code: \x0E\x1D\x0F System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Inquiry_10_05_2021,pdf.exe.4e0000.0.unpack, u0006u001du000f/u0007.cs	.Net Code: \x0E\x1D\x0F System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Inquiry_10_05_2021,pdf.exe.4e0000.0.unpack, u0006u001du000f/u0007.cs	.Net Code: \x0E\x1D\x0F System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.Inquiry_10_05_2021,pdf.exe.7a0000.0.unpack, u0006u001du000f/u0007.cs	.Net Code: \x0E\x1D\x0F System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.Inquiry_10_05_2021,pdf.exe.7a0000.1.unpack, u0006u001du000f/u0007.cs	.Net Code: \x0E\x1D\x0F System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_004153DD push ebp; ret	13_2_004153E0
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041B3F2 push eax; ret	13_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041B3FB push eax; ret	13_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041B3A5 push eax; ret	13_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0041B45C push eax; ret	13_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00417DC3 pushad ; ret	13_2_00417DC4
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00415E10 push edi; ret	13_2_00415E31
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_00414F69 push edx; ret	13_2_00414F6A
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Code function: 13_2_0131D0D1 push ecx; ret	13_2_0131D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0524D0D1 push ecx; ret	21_2_0524D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328B3A5 push eax; ret	21_2_0328B3F8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328B3FB push eax; ret	21_2_0328B462
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328B3F2 push eax; ret	21_2_0328B3F8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_032853DD push ebp; ret	21_2_032853E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03284F69 push edx; ret	21_2_03284F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03285E10 push edi; ret	21_2_03285E31
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_03287DC3 pushad ; ret	21_2_03287DC4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 21_2_0328B45C push eax; ret	21_2_0328B462

Source: initial sample	Static PE information: section name: .text entropy: 7.99403499414
Source: initial sample	Static PE information: section name: .text entropy: 7.99403499414

Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000032785E4 second address: 00000000032785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 000000000327896E second address: 0000000003278974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed

Source: explorer.exe, 0000000E.00000000.351910419.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.351910419.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000000E.00000000.351592629.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.351314090.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000002.476669997.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000000E.00000000.351910419.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000E.00000000.351910419.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000E.00000002.476711938.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000E.00000000.351314090.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000E.00000000.351314090.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000E.00000002.476781580.00000000056A1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll JPE
Source: explorer.exe, 0000000E.00000000.351314090.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Inquiry_10_05_2021,pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3388	Jump to behavior

Source: explorer.exe, 0000000E.00000000.331493811.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000E.00000002.466093643.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000015.00000002.464305174.00000000039D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000002.466093643.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000015.00000002.464305174.00000000039D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.466093643.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000015.00000002.464305174.00000000039D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.466093643.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000015.00000002.464305174.00000000039D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Name	IP	Active
parkingpage.namecheap.com	198.54.117.215	true
thevillaflora.com	192.0.78.24	true
www.qiqihao.site	unknown	unknown
www.thevillaflora.com	unknown	unknown
www.thenewyorker.computer	unknown	unknown

ID:	411852
Product:	CloudBasic
Start time:	07:48:43
Start date:	12.05.2021
Sample:	Inquiry_10_05_2021,pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d394a8c0a37bcdaf432b2882714c6eba
SHA1:	52d386445e50600a920f16692bbf30829d08932c
SHA256:	3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry_10_05_2021,pdf.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D394A8C0A37BCDAF432B2882714C6EBA	52D386445E50600A920F16692BBF30829D08932C	3F4DC309BE69548972299CB0517C884BCB5A472FBF9693FF3D07776C9464AF1C
C:\Users\user\AppData\Local\Temp\Inquiry_10_05_2021,pdf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report Inquiry_10_05_2021,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs