Edit tour

Windows Analysis Report
FORTUNE RICH_PARTICULARS.pdf.scr.exe

Overview

General Information

Sample name:	FORTUNE RICH_PARTICULARS.pdf.scr.exe
Analysis ID:	1585108
MD5:	4947f452082bd2777d7dc32cf51035e5
SHA1:	ad1303c43216936b3e8b11de5083697db2620e20
SHA256:	b2f88cb8f154ac5d65ea6625caa29220d585c1934e5ef696439ce17dae8d0cfa
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FORTUNE RICH_PARTICULARS.pdf.scr.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe" MD5: 4947F452082BD2777D7DC32CF51035E5)

FORTUNE RICH_PARTICULARS.pdf.scr.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe" MD5: 4947F452082BD2777D7DC32CF51035E5)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 971342}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf061:$a1: get_encryptedPassword 0xf389:$a2: get_encryptedUsername 0xedea:$a3: get_timePasswordChanged 0xef0b:$a4: get_passwordField 0xf077:$a5: set_encryptedPassword 0x109dc:$a7: get_logins 0x1068d:$a8: GetOutlookPasswords 0x1047f:$a9: StartKeylogger 0x1092c:$a10: KeyLoggerEventArgs 0x104dc:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2901912977.0000000002604000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa4481:$a1: get_encryptedPassword 0xbb2b1:$a1: get_encryptedPassword 0xd1ed1:$a1: get_encryptedPassword 0xa47a9:$a2: get_encryptedUsername 0xbb5d9:$a2: get_encryptedUsername 0xd21f9:$a2: get_encryptedUsername 0xa420a:$a3: get_timePasswordChanged 0xbb03a:$a3: get_timePasswordChanged 0xd1c5a:$a3: get_timePasswordChanged 0xa432b:$a4: get_passwordField 0xbb15b:$a4: get_passwordField 0xd1d7b:$a4: get_passwordField 0xa4497:$a5: set_encryptedPassword 0xbb2c7:$a5: set_encryptedPassword 0xd1ee7:$a5: set_encryptedPassword 0xa5dfc:$a7: get_logins 0xbcc2c:$a7: get_logins 0xd384c:$a7: get_logins 0xa5aad:$a8: GetOutlookPasswords 0xbc8dd:$a8: GetOutlookPasswords 0xd34fd:$a8: GetOutlookPasswords
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x109f7:$a1: get_encryptedPassword 0x10c92:$a2: get_encryptedUsername 0x107a1:$a3: get_timePasswordChanged 0x108b5:$a4: get_passwordField 0x10a0d:$a5: set_encryptedPassword 0x11eb1:$a7: get_logins 0x11bdf:$a8: GetOutlookPasswords 0x11a19:$a9: StartKeylogger 0x11e16:$a10: KeyLoggerEventArgs 0x11a76:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1fba5:$a1: get_encryptedPassword 0x1febe:$a2: get_encryptedUsername 0x1f942:$a3: get_timePasswordChanged 0x1fa63:$a4: get_passwordField 0x1fbbb:$a5: set_encryptedPassword 0x214c7:$a7: get_logins 0x21178:$a8: GetOutlookPasswords 0x20f6a:$a9: StartKeylogger 0x21417:$a10: KeyLoggerEventArgs 0x20fc7:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x1067f:$a9: StartKeylogger 0x10b2c:$a10: KeyLoggerEventArgs 0x106dc:$a11: KeyLoggerEventArgsEventHandler
2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd461:$a1: get_encryptedPassword 0xd789:$a2: get_encryptedUsername 0xd1ea:$a3: get_timePasswordChanged 0xd30b:$a4: get_passwordField 0xd477:$a5: set_encryptedPassword 0xeddc:$a7: get_logins 0xea8d:$a8: GetOutlookPasswords 0xe87f:$a9: StartKeylogger 0xed2c:$a10: KeyLoggerEventArgs 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0x26091:$a1: get_encryptedPassword 0x3ccb1:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0x263b9:$a2: get_encryptedUsername 0x3cfd9:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0x25e1a:$a3: get_timePasswordChanged 0x3ca3a:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0x25f3b:$a4: get_passwordField 0x3cb5b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x260a7:$a5: set_encryptedPassword 0x3ccc7:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x27a0c:$a7: get_logins 0x3e62c:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x276bd:$a8: GetOutlookPasswords 0x3e2dd:$a8: GetOutlookPasswords
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2b0e3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41d03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a5e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x41201:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x2a8ef:$a4: \Orbitum\User Data\Default\Login Data 0x4150f:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data 0x2b6e7:$a5: \Kometa\User Data\Default\Login Data 0x42307:$a5: \Kometa\User Data\Default\Login Data
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x502d1:$a1: get_encryptedPassword 0x67101:$a1: get_encryptedPassword 0x7dd21:$a1: get_encryptedPassword 0x505f9:$a2: get_encryptedUsername 0x67429:$a2: get_encryptedUsername 0x7e049:$a2: get_encryptedUsername 0x5005a:$a3: get_timePasswordChanged 0x66e8a:$a3: get_timePasswordChanged 0x7daaa:$a3: get_timePasswordChanged 0x5017b:$a4: get_passwordField 0x66fab:$a4: get_passwordField 0x7dbcb:$a4: get_passwordField 0x502e7:$a5: set_encryptedPassword 0x67117:$a5: set_encryptedPassword 0x7dd37:$a5: set_encryptedPassword 0x51c4c:$a7: get_logins 0x68a7c:$a7: get_logins 0x7f69c:$a7: get_logins 0x518fd:$a8: GetOutlookPasswords 0x6872d:$a8: GetOutlookPasswords 0x7f34d:$a8: GetOutlookPasswords
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x55323:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6c153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x82d73:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x54821:$a3: \Google\Chrome\User Data\Default\Login Data 0x6b651:$a3: \Google\Chrome\User Data\Default\Login Data 0x82271:$a3: \Google\Chrome\User Data\Default\Login Data 0x54b2f:$a4: \Orbitum\User Data\Default\Login Data 0x6b95f:$a4: \Orbitum\User Data\Default\Login Data 0x8257f:$a4: \Orbitum\User Data\Default\Login Data 0x55927:$a5: \Kometa\User Data\Default\Login Data 0x6c757:$a5: \Kometa\User Data\Default\Login Data 0x83377:$a5: \Kometa\User Data\Default\Login Data
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a101:$a1: get_encryptedPassword 0x90f31:$a1: get_encryptedPassword 0xa7b51:$a1: get_encryptedPassword 0x7a429:$a2: get_encryptedUsername 0x91259:$a2: get_encryptedUsername 0xa7e79:$a2: get_encryptedUsername 0x79e8a:$a3: get_timePasswordChanged 0x90cba:$a3: get_timePasswordChanged 0xa78da:$a3: get_timePasswordChanged 0x79fab:$a4: get_passwordField 0x90ddb:$a4: get_passwordField 0xa79fb:$a4: get_passwordField 0x7a117:$a5: set_encryptedPassword 0x90f47:$a5: set_encryptedPassword 0xa7b67:$a5: set_encryptedPassword 0x7ba7c:$a7: get_logins 0x928ac:$a7: get_logins 0xa94cc:$a7: get_logins 0x7b72d:$a8: GetOutlookPasswords 0x9255d:$a8: GetOutlookPasswords 0xa917d:$a8: GetOutlookPasswords
0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7f153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95f83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xacba3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e651:$a3: \Google\Chrome\User Data\Default\Login Data 0x95481:$a3: \Google\Chrome\User Data\Default\Login Data 0xac0a1:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e95f:$a4: \Orbitum\User Data\Default\Login Data 0x9578f:$a4: \Orbitum\User Data\Default\Login Data 0xac3af:$a4: \Orbitum\User Data\Default\Login Data 0x7f757:$a5: \Kometa\User Data\Default\Login Data 0x96587:$a5: \Kometa\User Data\Default\Login Data 0xad1a7:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T05:02:57.257162+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 971342}

Multi AV Scanner detection for submitted file

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660681628.00000000028E1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00A98922h	2_2_00A98508
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00A981F9h	2_2_00A97F48
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00A98922h	2_2_00A9884F
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00A9FAF8h	2_2_00A9F7F8

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000257B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000257B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660201986.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wdcp.microsoft.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 0_2_00BEE084	0_2_00BEE084
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 0_2_073C1787	0_2_073C1787
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9AC08	2_2_00A9AC08
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9F128	2_2_00A9F128
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A97F48	2_2_00A97F48
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9E402	2_2_00A9E402
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9E770	2_2_00A9E770
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9ABF8	2_2_00A9ABF8
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A92DD1	2_2_00A92DD1
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9EF08	2_2_00A9EF08
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9F7F8	2_2_00A9F7F8
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A97F37	2_2_00A97F37

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000000.1648152401.00000000004A6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePop.exe( vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1659905835.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVebinace.dll2 vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660681628.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660681628.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660681628.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.000000000052A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900851693.00000000004F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FORTUNE RICH_PARTICULARS.pdf.scr.exe
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe	Binary or memory string: OriginalFilenamePop.exe( vs FORTUNE RICH_PARTICULARS.pdf.scr.exe

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, AirFilter.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, AirFilter.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, EngineBlock.cs	Suspicious method names: .EngineBlock.FuelInjectionType
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorType
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.AreInjectorsClogged
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorDutyCycle
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorFlowRate
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorType
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.AreInjectorsClogged
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorDutyCycle
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorFlowRate
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, EngineBlock.cs	Suspicious method names: .EngineBlock.FuelInjectionType

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FORTUNE RICH_PARTICULARS.pdf.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Mutant created: NULL

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000025BF000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000025DD000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000025CF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, Form1.cs	.Net Code: Form1_Load System.Reflection.Assembly.Load(byte[])
Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, Form1.cs	.Net Code: Form1_Load

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: 0x87DDA81E [Wed Mar 26 12:44:14 2042 UTC]

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A938AF push eax; retf 0070h	2_2_00A938EA
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A938EF push eax; retf 0070h	2_2_00A938FA
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A938FF push eax; retf 0070h	2_2_00A9390A
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A93862 push eax; retf 0070h	2_2_00A938EA
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9387F push eax; retf 0070h	2_2_00A938EA
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Code function: 2_2_00A9387F push eax; retf 0070h	2_2_00A938FA

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Static PE information: section name: .text entropy: 7.72014595747216

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: FORTUNE RICH_PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe TID: 7448

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901360604.00000000007B6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Code function: 2_2_00A9F128 LdrInitializeThunk,LdrInitializeThunk,

2_2_00A9F128

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.294f3f0.1.raw.unpack, EngineAlgorithm.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.294f3f0.1.raw.unpack, EngineAlgorithm.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Process created: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2901912977.0000000002604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.397e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.393d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FORTUNE RICH_PARTICULARS.pdf.scr.exe.3913380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FORTUNE RICH_PARTICULARS.pdf.scr.exe PID: 7524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
FORTUNE RICH_PARTICULARS.pdf.scr.exe	18%	ReversingLabs
FORTUNE RICH_PARTICULARS.pdf.scr.exe	100%	Avira	HEUR/AGEN.1306813
FORTUNE RICH_PARTICULARS.pdf.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://wdcp.microsoft.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000257B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wdcp.microsoft.	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660201986.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000257B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1661578423.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2901912977.000000000255F000.00000004.00000800.00020000.00000000.sdmp, FORTUNE RICH_PARTICULARS.pdf.scr.exe, 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585108
Start date and time:	2025-01-07 05:02:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FORTUNE RICH_PARTICULARS.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 25 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
158.101.44.242	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
checkip.dyndns.com	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	x86_64.elf	Get hash	malicious	Mirai	Browse	8.44.60.50
	sh4.elf	Get hash	malicious	Mirai	Browse	162.158.206.216
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	104.17.247.203
	https://solve.jrqr.org/awjxs.captcha?u=df8172c9-2ab6-423b-8c92-85669127a20a	Get hash	malicious	Unknown	Browse	104.21.27.98
	Jeffparish.docx	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
ORACLE-BMC-31898US	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	193.123.7.176
	fuckunix.spc.elf	Get hash	malicious	Mirai	Browse	144.25.181.0
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	test.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.711127862952333
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FORTUNE RICH_PARTICULARS.pdf.scr.exe
File size:	222'720 bytes
MD5:	4947f452082bd2777d7dc32cf51035e5
SHA1:	ad1303c43216936b3e8b11de5083697db2620e20
SHA256:	b2f88cb8f154ac5d65ea6625caa29220d585c1934e5ef696439ce17dae8d0cfa
SHA512:	7eee4f1b8f276c9d41878e463a60fc48cd82d8c632dba3f48a71b7f767236e4f2678704627633ce9dbc49a238019f0f36b682145bcdede591fa7951535fc937e
SSDEEP:	3072:+rIOgeLRN9KkUFBlFdXcowGj8VJx72TJEJ2WTi56q51vb4:+rIOgelGrfgGjQJ2km
TLSH:	9824E6153795412DE569EEB894510BC22FBFBB1EA02F770C7B0CE466F6892CD0582A1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......6.......L... ...`....@.. ....................................@................................

File Icon


Icon Hash:	13d1421995c6490d

Static PE Info

General

Entrypoint:	0x434c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x87DDA81E [Wed Mar 26 12:44:14 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34bd4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x33b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x32c34	0x32e00	3b9eddf807a5be8e6fccea8ee271a090	False	0.669605152027027	data	7.72014595747216	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x33b0	0x3400	136a6ce04816fdd601cebdcbc9c13296	False	0.9194711538461539	data	7.703187088905528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0xc	0x200	185220484a2493883cc0809e078e637a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x36130	0x2d91	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9799399914273468
RT_GROUP_ICON	0x38ec4	0x14	data	0.95
RT_VERSION	0x38ed8	0x2ec	data	0.4344919786096257
RT_MANIFEST	0x391c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T05:02:57.257162+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:02:56.108685017 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:56.113586903 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:02:56.113651037 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:56.113825083 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:56.118597984 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:02:56.976543903 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:02:57.022808075 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:57.026058912 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:57.030867100 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:02:57.203186989 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:02:57.223973036 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.224040031 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.224155903 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.252118111 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.252130985 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.257162094 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:02:57.733393908 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.733506918 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.738861084 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.738871098 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.739156008 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.788419962 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.795588970 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.843329906 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.911475897 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.911546946 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:02:57.911673069 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:02:57.920454025 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:04:02.203289032 CET	80	49732	158.101.44.242	192.168.2.4
Jan 7, 2025 05:04:02.203392982 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:04:37.210942984 CET	49732	80	192.168.2.4	158.101.44.242
Jan 7, 2025 05:04:37.215740919 CET	80	49732	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:02:56.093465090 CET	62434	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:02:56.100646973 CET	53	62434	1.1.1.1	192.168.2.4
Jan 7, 2025 05:02:57.213774920 CET	63168	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:02:57.221148014 CET	53	63168	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 05:02:56.093465090 CET	192.168.2.4	1.1.1.1	0x5841	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:57.213774920 CET	192.168.2.4	1.1.1.1	0xe403	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:56.100646973 CET	1.1.1.1	192.168.2.4	0x5841	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:57.221148014 CET	1.1.1.1	192.168.2.4	0xe403	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:02:57.221148014 CET	1.1.1.1	192.168.2.4	0xe403	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	158.101.44.242	80	7524	C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 05:02:56.113825083 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 05:02:56.976543903 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:02:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d67769a081fd0e3ec128a14c2a725517 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 05:02:57.026058912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 05:02:57.203186989 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:02:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cd642ce4580c20c9334097654624a8fe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	188.114.97.3	443	7524	C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 04:02:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 04:02:57 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:02:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1537366 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FaG9zVARSKPVQFwLV%2FpB6WLGcUqmKqzvVX6DvFGL8oDtSmjL8PmlTU6xB%2BupqR61FYPDB6G5COfbplY89%2FJ%2B2ga1yKgGlbsenM9V05bmHeJEVVXlHlaoygtcWPvmS4SlUhVGv4hL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe10e278e7019cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2047&min_rtt=2047&rtt_var=768&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1426477&cwnd=252&unsent_bytes=0&cid=b87dc415f3c417ea&ts=188&x=0"
2025-01-07 04:02:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	23:02:54
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"
Imagebase:	0x470000
File size:	222'720 bytes
MD5 hash:	4947F452082BD2777D7DC32CF51035E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1660771776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:02:55
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FORTUNE RICH_PARTICULARS.pdf.scr.exe"
Imagebase:	0x110000
File size:	222'720 bytes
MD5 hash:	4947F452082BD2777D7DC32CF51035E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2900884309.0000000000512000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2901912977.0000000002604000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	119
Total number of Limit Nodes:	13

Executed Functions

Function 073C1787 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb13176c9952936a652acb36c5d8c97f1024503f864e879e622da20b5169d1ea
Instruction ID: c50d1b56a186379f0106fe432f7b8f28c915cb273c75ea8fc3d2b6b8d3a1b948
Opcode Fuzzy Hash: eb13176c9952936a652acb36c5d8c97f1024503f864e879e622da20b5169d1ea
Instruction Fuzzy Hash: 9AE14AF0A0020A8FEB14DFA5C945BADBBF1BF49314F15C558E409AB266DB70ED45EB80

Function 00BED530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BED5BE
GetCurrentThread.KERNEL32 ref: 00BED5FB
GetCurrentProcess.KERNEL32 ref: 00BED638
GetCurrentThreadId.KERNEL32 ref: 00BED691

Strings

4'qq, xrefs: 00BED509

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'qq
API String ID: 2063062207-1915349394
Opcode ID: e4b28296dc22adcb97b1e48f93da4166d6a28e77cb5c77d458feb51680093d2f
Instruction ID: 41fa5021565f0cbd277d635c69dd68d1bc149911ade22a9b3e9db674ada40163
Opcode Fuzzy Hash: e4b28296dc22adcb97b1e48f93da4166d6a28e77cb5c77d458feb51680093d2f
Instruction Fuzzy Hash: F9618DB19003498FDB14DFAAD548BDEBBF1EF88304F208499E409AB3A0D7755944CB61

Function 00BED540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BED5BE
GetCurrentThread.KERNEL32 ref: 00BED5FB
GetCurrentProcess.KERNEL32 ref: 00BED638
GetCurrentThreadId.KERNEL32 ref: 00BED691

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b098fcdc0720efc839147c344ac4a268a1b26a6b5d7f0ba97c54a9d5c79b54c8
Instruction ID: 2a9831bf92fb6f0f4c39b319dcc0fbc97b19d1a09dc7678535704e9533d73109
Opcode Fuzzy Hash: b098fcdc0720efc839147c344ac4a268a1b26a6b5d7f0ba97c54a9d5c79b54c8
Instruction Fuzzy Hash: 025146B09003498FDB58DFAAD548B9EBBF1EF88314F20C459E409A73A0DB759984CF65

Function 073C1307 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222c3dc8c4feac9c494a649f35df5c08cf777d1c571c63204daad31609c078b7
Instruction ID: 7fde97773835d25d6152e68fc913bc3eb9d73b4374c2ef7630a9db0c77d6c8b7
Opcode Fuzzy Hash: 222c3dc8c4feac9c494a649f35df5c08cf777d1c571c63204daad31609c078b7
Instruction Fuzzy Hash: 741173F5C003888FDB10DFADC444ADEBFF0AB48324F20855AD119A7202C375A944CFA1

Function 00BEB298 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BEB4FE

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9847d917b1fdc3d46e37560acd202bc15c4ac232a981c7f72eef86c0c8eda427
Instruction ID: bb95d4cc5e427dbbb280573b52af4e84902872b11c902c45c3a1d5a68045df45
Opcode Fuzzy Hash: 9847d917b1fdc3d46e37560acd202bc15c4ac232a981c7f72eef86c0c8eda427
Instruction Fuzzy Hash: E08123B0A00B858FDB24DF2AD451B5BBBF1FF88300F1089A9D08AD7A50D775E945CB91

Function 00BE590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BE59C9

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 703b3556ca634dd98a4bda7b43afa137cf80bd442bbd6780af3f3a8270bac0c1
Instruction ID: 67498dc4edc3e74ea916319706cb2e749d5a813b2bc1c947ee69fca2a991c4bd
Opcode Fuzzy Hash: 703b3556ca634dd98a4bda7b43afa137cf80bd442bbd6780af3f3a8270bac0c1
Instruction Fuzzy Hash: 7F41C1B1C00759CADB24DFAAC8846DEBBF1BF48314F2081AAD419AB251DB756946CF50

Function 00BE449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BE59C9

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8f7d108412ed35919f930ce97895fcbf21a90f29de95e19dd4f921d63d8c0bb8
Instruction ID: e8e9e2e19d86dbb20fbfb12458eb8add90bf6c958506d8f0f5ff5384ad8a18a6
Opcode Fuzzy Hash: 8f7d108412ed35919f930ce97895fcbf21a90f29de95e19dd4f921d63d8c0bb8
Instruction Fuzzy Hash: 4F41CFB0C0075DCADB24DFAAC884A9EBBF5FF48304F2081AAD509AB251DB756945CF90

Function 073C20A2 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 073C2132

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c0583bf2c944cb95c3cf867baf3d33e4c532ea9cd9308d27bf4b6d779dca89fe
Instruction ID: 23c50833e4aff6b9d8d4545958070e98728398639e681b9d4af86fc40484a32a
Opcode Fuzzy Hash: c0583bf2c944cb95c3cf867baf3d33e4c532ea9cd9308d27bf4b6d779dca89fe
Instruction Fuzzy Hash: 643123B590039A8FDB01DF99C884A9EFFF0FF49314F14869AD419AB212C375A944CFA1

Function 00BED780 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BED80F

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c584abb0bacbc74839f2ba3c9a92f929e4d4a96a83a50143cda3116d2aebbb5
Instruction ID: 1d9a76341dd12e955418088d7b73ad4b2d3a9f116de1da53aa3fea89bf139b5d
Opcode Fuzzy Hash: 6c584abb0bacbc74839f2ba3c9a92f929e4d4a96a83a50143cda3116d2aebbb5
Instruction Fuzzy Hash: D921E3B5900348AFDB10CFAAD984ADEBBF4FB48320F14845AE918A7350D374A954DFA1

Function 00BED788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BED80F

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 378269e90d607c40031661dd67616ab3c5f0eaa6e3f499af9af21074fb883621
Instruction ID: 389a49b56ded03c2d7fbbd371ff54e74d9d0cf08f173320e47b54bde18cd4fc5
Opcode Fuzzy Hash: 378269e90d607c40031661dd67616ab3c5f0eaa6e3f499af9af21074fb883621
Instruction Fuzzy Hash: 6A21E2B59002489FDB10CFAAD984ADEBFF8FB48320F14845AE918A3350D374A944CFA0

Function 073C2198 Relevance: 1.6, APIs: 1, Instructions: 61
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 073C2211

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 0d7eea8d47a6bc03b839fcab1b24a8b362892a05c65f664fb9bf5255a3d6fea4
Instruction ID: 7070847c4eee4f9a515bff41a45b768b8803eb7d7b7318ed773a1f415aacb6f1
Opcode Fuzzy Hash: 0d7eea8d47a6bc03b839fcab1b24a8b362892a05c65f664fb9bf5255a3d6fea4
Instruction Fuzzy Hash: 2321F5B19002598FDB14CFAAC844BEEFBF5FB88320F14842AD459A7250C774A944CFA0

Function 073C21A0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 073C2211

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 3be7185c1f9af3a1fc96bde26f2eef5d197afa106bd80712333ef11625cd4857
Instruction ID: 0a91c6f0ff9026d965eba2b961570e4efafc191fb493150de45c3473b7c3d89b
Opcode Fuzzy Hash: 3be7185c1f9af3a1fc96bde26f2eef5d197afa106bd80712333ef11625cd4857
Instruction Fuzzy Hash: 652136B1D0025A8FDB14CF9AC844BEEFBF5FB88320F14842AD458A3250D778A944CFA0

Function 00BEB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BEB4FE

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 34e120ea57e22fa932203b691648efe2175749f987e5330056042cc1e0577909
Instruction ID: f3f9b14caa4178bd0c989c5c44668c4bf7f87237a479dbfee464e00baaea339b
Opcode Fuzzy Hash: 34e120ea57e22fa932203b691648efe2175749f987e5330056042cc1e0577909
Instruction Fuzzy Hash: 6B110FB6C003898FCB10CF9AC444A9EFBF4EB88324F10845AD429A7210C375A645CFA1

Function 073C1508 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 073C155D

Memory Dump Source

Source File: 00000000.00000002.1662044632.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b9410d8011a4fb28b7b5c3024b03a324829cf5dc7b5310155872bd0cf1ce9efc
Instruction ID: a794e484c5c8152d5b0bcd773e567a1290d3f5e9f54bbc1b7a9b325fefa21675
Opcode Fuzzy Hash: b9410d8011a4fb28b7b5c3024b03a324829cf5dc7b5310155872bd0cf1ce9efc
Instruction Fuzzy Hash: 6F1112B58003488FDB10DF9AD449B8EBFF4EB48320F20845AD519A7201C375A944CFA5

Function 00A7D61C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659697821.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977d3b2332fd48c234b4fe3fedaa8d371103cdc7d4cb69a4c98b61ce29d340a0
Instruction ID: 06c4f3ae9fdf8861608b6a251b2131f9665d0c67676503de1fda16e2afd092e6
Opcode Fuzzy Hash: 977d3b2332fd48c234b4fe3fedaa8d371103cdc7d4cb69a4c98b61ce29d340a0
Instruction Fuzzy Hash: 7121E0B6614240DFCB05DF14D984B26BF76FF98324F24C569E90E0A256C336D816DAA1

Function 00B9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659773197.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b262261a1e968ae9fdbf9f3ace24d9df7cea3134d6319f82cbcf38af83d9cf
Instruction ID: 282ed0fc93484b7eab831a46b14e865217913424f3a50341501bd5208949e859
Opcode Fuzzy Hash: 02b262261a1e968ae9fdbf9f3ace24d9df7cea3134d6319f82cbcf38af83d9cf
Instruction Fuzzy Hash: 7E21D075604200DFDF14DF24D9D4B26BBA5FB94314F24CABDD80A4B296C33AD807CA61

Function 00B9D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659773197.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41565fd8a8cf097ea4ddb61e576981b80d17462f74e80d3c2cdfb059d631e87c
Instruction ID: 837eb53d30ff6358b28a51b7ec7b652cc70cfd7f8f082ca9ac4c6d124ce5402c
Opcode Fuzzy Hash: 41565fd8a8cf097ea4ddb61e576981b80d17462f74e80d3c2cdfb059d631e87c
Instruction Fuzzy Hash: C42184755093808FDB16CF24D5A4715BFB1EB45314F28C5EAD8498B697C33A980ACB62

Function 00A7D617 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659697821.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 889659fe924ad9215cea55fbd705e37a96942b04aca5ae03a7282835797c0687
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 3011AF76504280CFCB06CF14D9C4B16BF72FB94324F24C5A9D80D0B656C336D85ACBA1

Non-executed Functions

Function 00BEE084 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659859348.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96856898dc609c9676e2e56bf99c207d2086a7a3cfef542f13e2ae6f5839e588
Instruction ID: d77365f81b09bfdce31d1ea50cc0f145907d5ba08af59da9cafca1793012dcf1
Opcode Fuzzy Hash: 96856898dc609c9676e2e56bf99c207d2086a7a3cfef542f13e2ae6f5839e588
Instruction Fuzzy Hash: DFA15B36A002568FCF05DFB6C8845AEB7F2FF84300B1545BAE815AB266DB71ED55CB80

Analysis Process: FORTUNE RICH_PARTICULARS.pdf.scr.exePID: 7524, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	3

Executed Functions

Function 00A9F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd19089091be076f36f0467a0d91512aa1ec6aa0990835f3fb831a56fdd9b830
Instruction ID: ee4e65b127c5bf079948e5d2302c3a53c34fd8ad6b37d291125da6c640770a8b
Opcode Fuzzy Hash: dd19089091be076f36f0467a0d91512aa1ec6aa0990835f3fb831a56fdd9b830
Instruction Fuzzy Hash: EAF1E274E01218CFDB14DFA9C984B9DBBF2BF88304F1481A9E808AB355DB75A985CF50

Function 00A97F48 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4c44d7d8da600b62975855efa60ab7c407a93d8fd2116b355f21976354879a
Instruction ID: f8db32cffcf6385b2738012f0ff2e11fb95d15bef3c8f836bca9738872364f32
Opcode Fuzzy Hash: 2f4c44d7d8da600b62975855efa60ab7c407a93d8fd2116b355f21976354879a
Instruction Fuzzy Hash: 40C1AF78E01218CFDB14DFA5D994B9DBBF2BB89301F2080A9D809AB355DB355E85CF50

Function 00A98508 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ecbcb34fbfc9514ebdbb3113770290fd9050d824d38215518e4d02b592b327
Instruction ID: 777084932f1b6c6ec6340e04e4ecd362406cdab286c96cb644de7c187e9cc8ed
Opcode Fuzzy Hash: a4ecbcb34fbfc9514ebdbb3113770290fd9050d824d38215518e4d02b592b327
Instruction Fuzzy Hash: 23A10474E00208CFDB14DFA9C998B9DBBF1FF89304F208269E409AB291DB759985CF54

Function 00A9884F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e65ac9636e099b1a6649b6fd16b246c2b48e89b50dc9b660b1f20499fa96db
Instruction ID: 38b634dfe57fcfd5d4b9e4eca14c43cf7e194594908681cb3841588d2c59e1da
Opcode Fuzzy Hash: 82e65ac9636e099b1a6649b6fd16b246c2b48e89b50dc9b660b1f20499fa96db
Instruction Fuzzy Hash: BC91F574E00218CFDB14DFA8C598BACBBF1FF89310F209259E409AB291DB799985CF55

Function 00A9F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00A9F64E

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6341ec751f37a13ded8be6b1653949d2a7f09902641c0cbae21090eea2a07f45
Instruction ID: c0bc3dc0403e41423563dec22a2a9719989b7dc4d85e59e2d0070aad2af7be7a
Opcode Fuzzy Hash: 6341ec751f37a13ded8be6b1653949d2a7f09902641c0cbae21090eea2a07f45
Instruction Fuzzy Hash: 8D1126B4E012099FDF04DFA9D994AADBBF5FB88304F248565E904EB251DB31EC45CB60

Function 0074D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2901187015.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e42db26d53fe8b934c7d3f7ec0df6db14ae9384624956bec7930d350b2104f7
Instruction ID: ca9bdf3cdade18c919c6d0c6933a66063448f55c7084b4990bc9acfc3736e23a
Opcode Fuzzy Hash: 7e42db26d53fe8b934c7d3f7ec0df6db14ae9384624956bec7930d350b2104f7
Instruction Fuzzy Hash: 0621F5B1604204DFCB25DF14D9C4B26BBA5FB94314F24C56DD98A4B2A2C33ADC47CA61

Function 0074D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2901187015.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 4edb68d2c680e48f6fe5b944a910ffd656860f82f953f9ee97e7a6050b59b012
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: ED11D075504284CFCB21CF14D5C4B15FBB1FB84314F24C6AED8494B666C33AD84ACB61

Non-executed Functions

Function 00A9F7F8 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2901632173.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a90000_FORTUNE RICH_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f1278b418626d07836176c753f85547289da4476fd85691011b388c8bda4ae
Instruction ID: 783fae3ba859233a9ee76794bf6781e0898d7a0bef1d10e99502d415338f2352
Opcode Fuzzy Hash: 36f1278b418626d07836176c753f85547289da4476fd85691011b388c8bda4ae
Instruction Fuzzy Hash: 7DD1D274E01218CFDB14DFA5C994B9DBBF2AF89300F2084A9D808AB365DB759D85DF50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FORTUNE RICH_PARTICULARS.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FORTUNE RICH_PARTICULARS.pdf.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
FORTUNE RICH_PARTICULARS.pdf.scr.exe

Function 00BED530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169
threadCOMMON

Function 00BED540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 073C1307 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Function 00BEB298 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 00BE590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00BE449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 073C20A2 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 00BED780 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00BED788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 073C2198 Relevance: 1.6, APIs: 1, Instructions: 61
threadCOMMON

Function 00A9F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 00A97F48 Relevance: .3, Instructions: 268
COMMON

Function 00A9F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre