Windows Analysis Report
DOC_PDF.exe

Overview

General Information

Sample name: DOC_PDF.exe
Analysis ID: 1519409
MD5: debff2e29172e4c6b07a62a5d7b8a6b4
SHA1: 6e2073a1f0dbd338f0a8673f35b8628581fac402
SHA256: 874c6faee7e17445012c0f573c29dde997a71cc86e15fc3152a22365cf83bdf1
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.awlc7038.vip/b31a/"], "decoy": ["enjamin-paaac.buzz", "mail-marketing-40950.bond", "pusems28-post.cyou", "hindo.top", "ruck-company-be.today", "asinos-deutschland.net", "ewancash.boats", "etdopovo.casino", "rcher-saaac.buzz", "871166.vip", "manuel.app", "g3yqo.shop", "-9way.xyz", "qawgytfexe.bond", "iefi6834.vip", "ental-health-35901.bond", "idat-merkez18.top", "rojectleadzone.website", "lirudolph.top", "migloballlc.online", "utebolshirts.shop", "i-tools-57602.bond", "itchen-889.bond", "hewieandfriends.info", "tlchurch.net", "arolmodasgpuava.online", "indjuvedermdoctorsnearby.today", "auwin-daftar.xyz", "arden-sheds-23886.bond", "2239d3.christmas", "irablog.xyz", "remation-services-88863.bond", "ehxk3u7.forum", "resdai.xyz", "61pk48ln.autos", "-web-p102.buzz", "eb2125.info", "ole-xaaaa.buzz", "lc-driving-school.net", "igh-class-jewelry.info", "66gd660du.bond", "ixi.asia", "aemoruhagic.click", "entalcare-us2-borysfb.today", "olf-cart-82894.bond", "algrup.net", "usanscanneritaly63.sbs", "ames666.xyz", "ockycanada.net", "bykmr.shop", "gpmedia.app", "avada-ga-34.press", "igraine-treatment-33058.bond", "heodore-saaab.buzz", "ashforhouse19.online", "48827496.top", "mazonun.top", "lstrk.fun", "hegdg.net", "nssmodule.center", "sksiniaja7.buzz", "uneytozgur.online", "orri.shop", "ras-us-1.bond"]}
Multi AV Scanner detection for submitted file
Source: DOC_PDF.exe ReversingLabs: Detection: 58%
Yara detected FormBook
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: DOC_PDF.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002BAFB8 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext, 5_2_002BAFB8
Uses 32bit PE files
Source: DOC_PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: DOC_PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msdt.pdbGCTL source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DOC_PDF.exe, DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mJGu.pdb source: DOC_PDF.exe
Source: Binary string: mJGu.pdbSHA256 source: DOC_PDF.exe
Source: Binary string: msdt.pdb source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 5_2_002B602D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002C60A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B1B92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002B5C20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002C743A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B4CB6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B4EDC
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 4x nop then jmp 08358EFBh 0_2_08358D68
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 4x nop then pop edi 3_2_00416C96
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 5_2_02E86C96

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.awlc7038.vip/b31a/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.awlc7038.vip replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rojectleadzone.website replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hegdg.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ewancash.boats replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.48827496.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.bykmr.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.igh-class-jewelry.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hewieandfriends.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.aemoruhagic.click replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.utebolshirts.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olf-cart-82894.bond replaycode: Name error (3)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: www.awlc7038.vip replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rojectleadzone.website replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hegdg.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ewancash.boats replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.48827496.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.bykmr.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.igh-class-jewelry.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hewieandfriends.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.aemoruhagic.click replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.utebolshirts.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olf-cart-82894.bond replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.awlc7038.vip
Source: global traffic DNS traffic detected: DNS query: www.rojectleadzone.website
Source: global traffic DNS traffic detected: DNS query: www.olf-cart-82894.bond
Source: global traffic DNS traffic detected: DNS query: www.hewieandfriends.info
Source: global traffic DNS traffic detected: DNS query: www.ewancash.boats
Source: global traffic DNS traffic detected: DNS query: www.igh-class-jewelry.info
Source: global traffic DNS traffic detected: DNS query: www.48827496.top
Source: global traffic DNS traffic detected: DNS query: www.bykmr.shop
Source: global traffic DNS traffic detected: DNS query: www.utebolshirts.shop
Source: global traffic DNS traffic detected: DNS query: www.hegdg.net
Source: global traffic DNS traffic detected: DNS query: www.aemoruhagic.click
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000000.2043320694.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.2057955900.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508804572.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2057404332.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.-web-p102.buzz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.-web-p102.buzz/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.-web-p102.buzz/b31a/www.indjuvedermdoctorsnearby.today
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.-web-p102.buzzReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2239d3.christmas
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2239d3.christmas/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2239d3.christmas/b31a/h
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.2239d3.christmasReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48827496.top
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48827496.top/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48827496.top/b31a/www.bykmr.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48827496.topReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aemoruhagic.click
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aemoruhagic.click/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aemoruhagic.click/b31a/www.-web-p102.buzz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aemoruhagic.clickReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ashforhouse19.online
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ashforhouse19.online/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ashforhouse19.online/b31a/www.2239d3.christmas
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ashforhouse19.onlineReferer:
Source: explorer.exe, 00000004.00000003.3825649798.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102191852.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062761599.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.E
Source: explorer.exe, 00000004.00000000.2062761599.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awlc7038.vip
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awlc7038.vip/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awlc7038.vip/b31a/www.rojectleadzone.website
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awlc7038.vipReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bykmr.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bykmr.shop/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bykmr.shop/b31a/www.utebolshirts.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bykmr.shopReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewancash.boats
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewancash.boats/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewancash.boats/b31a/www.igh-class-jewelry.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewancash.boatsReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hegdg.net
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hegdg.net/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hegdg.net/b31a/www.aemoruhagic.click
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hegdg.netReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hewieandfriends.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hewieandfriends.info/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hewieandfriends.info/b31a/www.ewancash.boats
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hewieandfriends.infoReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igh-class-jewelry.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igh-class-jewelry.info/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igh-class-jewelry.info/b31a/www.48827496.top
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.igh-class-jewelry.infoReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indjuvedermdoctorsnearby.today
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indjuvedermdoctorsnearby.today/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indjuvedermdoctorsnearby.today/b31a/www.ashforhouse19.online
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indjuvedermdoctorsnearby.todayReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olf-cart-82894.bond
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olf-cart-82894.bond/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olf-cart-82894.bond/b31a/www.hewieandfriends.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olf-cart-82894.bondReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.resdai.xyz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.resdai.xyz/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.resdai.xyz/b31a/www.hegdg.net
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.resdai.xyzReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rojectleadzone.website
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rojectleadzone.website/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rojectleadzone.website/b31a/www.olf-cart-82894.bond
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rojectleadzone.websiteReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.utebolshirts.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.utebolshirts.shop/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.utebolshirts.shop/b31a/www.resdai.xyz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.utebolshirts.shopReferer:
Source: explorer.exe, 00000004.00000002.4516483645.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000003.3827896321.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4506643376.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4510666183.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.4506643376.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056628232.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.3097162439.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2044254492.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4504765400.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000004.00000003.3828353043.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513550393.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000002.4516483645.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 5_2_002B2361
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 5_2_002B2361

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4519710590.0000000010520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: DOC_PDF.exe PID: 5740, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 4320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DOC_PDF.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041A320 NtCreateFile, 3_2_0041A320
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041A3D0 NtReadFile, 3_2_0041A3D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041A450 NtClose, 3_2_0041A450
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041A500 NtAllocateVirtualMemory, 3_2_0041A500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041A44A NtReadFile,NtClose, 3_2_0041A44A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_01902BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902B60 NtClose,LdrInitializeThunk, 3_2_01902B60
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902AD0 NtReadFile,LdrInitializeThunk, 3_2_01902AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902DD0 NtDelayExecution,LdrInitializeThunk, 3_2_01902DD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01902DF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902D10 NtMapViewOfSection,LdrInitializeThunk, 3_2_01902D10
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902D30 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_01902D30
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902CA0 NtQueryInformationToken,LdrInitializeThunk, 3_2_01902CA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_01902C70
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902F90 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_01902F90
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902FB0 NtResumeThread,LdrInitializeThunk, 3_2_01902FB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902FE0 NtCreateFile,LdrInitializeThunk, 3_2_01902FE0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902F30 NtCreateSection,LdrInitializeThunk, 3_2_01902F30
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902E80 NtReadVirtualMemory,LdrInitializeThunk, 3_2_01902E80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_01902EA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01904340 NtSetContextThread, 3_2_01904340
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01904650 NtSuspendThread, 3_2_01904650
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902B80 NtQueryInformationFile, 3_2_01902B80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902BA0 NtEnumerateValueKey, 3_2_01902BA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902BE0 NtQueryValueKey, 3_2_01902BE0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902AB0 NtWaitForSingleObject, 3_2_01902AB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902AF0 NtWriteFile, 3_2_01902AF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902DB0 NtEnumerateKey, 3_2_01902DB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902D00 NtSetInformationFile, 3_2_01902D00
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902CC0 NtQueryVirtualMemory, 3_2_01902CC0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902CF0 NtOpenProcess, 3_2_01902CF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902C00 NtQueryInformationProcess, 3_2_01902C00
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902C60 NtCreateKey, 3_2_01902C60
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902FA0 NtQuerySection, 3_2_01902FA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902F60 NtCreateProcessEx, 3_2_01902F60
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902EE0 NtQueueApcThread, 3_2_01902EE0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902E30 NtWriteVirtualMemory, 3_2_01902E30
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01903090 NtSetValueKey, 3_2_01903090
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01903010 NtOpenDirectoryObject, 3_2_01903010
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019035C0 NtCreateMutant, 3_2_019035C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019039B0 NtGetContextThread, 3_2_019039B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01903D10 NtOpenProcessToken, 3_2_01903D10
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01903D70 NtOpenThread, 3_2_01903D70
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C1C50 NtQueryInformationToken,NtQueryInformationToken, 5_2_002C1C50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C1CBD NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose, 5_2_002C1CBD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051035C0 NtCreateMutant,LdrInitializeThunk, 5_2_051035C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_05102D10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102DD0 NtDelayExecution,LdrInitializeThunk, 5_2_05102DD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_05102DF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_05102C70
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102C60 NtCreateKey,LdrInitializeThunk, 5_2_05102C60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_05102CA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102F30 NtCreateSection,LdrInitializeThunk, 5_2_05102F30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102FE0 NtCreateFile,LdrInitializeThunk, 5_2_05102FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_05102EA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102B60 NtClose,LdrInitializeThunk, 5_2_05102B60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_05102BF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_05102BE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102AD0 NtReadFile,LdrInitializeThunk, 5_2_05102AD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05104650 NtSuspendThread, 5_2_05104650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05103010 NtOpenDirectoryObject, 5_2_05103010
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05103090 NtSetValueKey, 5_2_05103090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05104340 NtSetContextThread, 5_2_05104340
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05103D10 NtOpenProcessToken, 5_2_05103D10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102D00 NtSetInformationFile, 5_2_05102D00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102D30 NtUnmapViewOfSection, 5_2_05102D30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05103D70 NtOpenThread, 5_2_05103D70
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102DB0 NtEnumerateKey, 5_2_05102DB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102C00 NtQueryInformationProcess, 5_2_05102C00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102CC0 NtQueryVirtualMemory, 5_2_05102CC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102CF0 NtOpenProcess, 5_2_05102CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102F60 NtCreateProcessEx, 5_2_05102F60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102F90 NtProtectVirtualMemory, 5_2_05102F90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102FB0 NtResumeThread, 5_2_05102FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102FA0 NtQuerySection, 5_2_05102FA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102E30 NtWriteVirtualMemory, 5_2_05102E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102E80 NtReadVirtualMemory, 5_2_05102E80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102EE0 NtQueueApcThread, 5_2_05102EE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051039B0 NtGetContextThread, 5_2_051039B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102B80 NtQueryInformationFile, 5_2_05102B80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102BA0 NtEnumerateValueKey, 5_2_05102BA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102AB0 NtWaitForSingleObject, 5_2_05102AB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05102AF0 NtWriteFile, 5_2_05102AF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8A3D0 NtReadFile, 5_2_02E8A3D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8A320 NtCreateFile, 5_2_02E8A320
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8A450 NtClose, 5_2_02E8A450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8A500 NtAllocateVirtualMemory, 5_2_02E8A500
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8A44A NtReadFile,NtClose, 5_2_02E8A44A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DDA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 5_2_04DDA036
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 5_2_04DD9BAF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DDA042 NtQueryInformationProcess, 5_2_04DDA042
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_04DD9BB2
Detected potential crypto function
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_0173DEEC 0_2_0173DEEC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_033B0006 0_2_033B0006
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_033B0040 0_2_033B0040
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08350040 0_2_08350040
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08358D68 0_2_08358D68
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08350006 0_2_08350006
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08354A08 0_2_08354A08
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08356A78 0_2_08356A78
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08355278 0_2_08355278
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08356A67 0_2_08356A67
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08355269 0_2_08355269
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_0835BA88 0_2_0835BA88
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08358470 0_2_08358470
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08358D58 0_2_08358D58
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_083545D0 0_2_083545D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_08354E31 0_2_08354E31
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D94E 3_2_0041D94E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00401174 3_2_00401174
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00401208 3_2_00401208
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041EB49 3_2_0041EB49
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D563 3_2_0041D563
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00409E4B 3_2_00409E4B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00409E50 3_2_00409E50
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019901AA 3_2_019901AA
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019841A2 3_2_019841A2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019881CC 3_2_019881CC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0100 3_2_018C0100
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196A118 3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01958158 3_2_01958158
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE3F0 3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019903E6 3_2_019903E6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198A352 3_2_0198A352
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019502C0 3_2_019502C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01990591 3_2_01990591
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197E4F6 3_2_0197E4F6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01974420 3_2_01974420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01982446 3_2_01982446
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CC7C0 3_2_018CC7C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F4750 3_2_018F4750
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EC6E0 3_2_018EC6E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0199A9A6 3_2_0199A9A6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E6962 3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B68B8 3_2_018B68B8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE8F0 3_2_018FE8F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D2840 3_2_018D2840
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DA840 3_2_018DA840
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01986BD7 3_2_01986BD7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198AB40 3_2_0198AB40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E8DBF 3_2_018E8DBF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CADE0 3_2_018CADE0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196CD1F 3_2_0196CD1F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DAD00 3_2_018DAD00
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970CB5 3_2_01970CB5
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0CF2 3_2_018C0CF2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0C00 3_2_018D0C00
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194EFA0 3_2_0194EFA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C2FC8 3_2_018C2FC8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DCFE0 3_2_018DCFE0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01972F30 3_2_01972F30
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01912F28 3_2_01912F28
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F0F30 3_2_018F0F30
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01944F40 3_2_01944F40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198CE93 3_2_0198CE93
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2E90 3_2_018E2E90
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198EEDB 3_2_0198EEDB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198EE26 3_2_0198EE26
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0E59 3_2_018D0E59
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DB1B0 3_2_018DB1B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0199B16B 3_2_0199B16B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BF172 3_2_018BF172
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0190516C 3_2_0190516C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D70C0 3_2_018D70C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197F0CC 3_2_0197F0CC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019870E9 3_2_019870E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198F0E0 3_2_0198F0E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0191739A 3_2_0191739A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198132D 3_2_0198132D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BD34C 3_2_018BD34C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D52A0 3_2_018D52A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EB2C0 3_2_018EB2C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019712ED 3_2_019712ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196D5B0 3_2_0196D5B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019995C3 3_2_019995C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01987571 3_2_01987571
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198F43F 3_2_0198F43F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C1460 3_2_018C1460
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198F7B0 3_2_0198F7B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019816CC 3_2_019816CC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01915630 3_2_01915630
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01965910 3_2_01965910
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D9950 3_2_018D9950
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EB950 3_2_018EB950
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D38E0 3_2_018D38E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193D800 3_2_0193D800
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EFB80 3_2_018EFB80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01945BF0 3_2_01945BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0190DBF9 3_2_0190DBF9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198FB76 3_2_0198FB76
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01915AA0 3_2_01915AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01971AA3 3_2_01971AA3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196DAAC 3_2_0196DAAC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197DAC6 3_2_0197DAC6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198FA49 3_2_0198FA49
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01987A46 3_2_01987A46
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01943A6C 3_2_01943A6C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EFDC0 3_2_018EFDC0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01981D5A 3_2_01981D5A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D3D40 3_2_018D3D40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01987D73 3_2_01987D73
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198FCF2 3_2_0198FCF2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01949C32 3_2_01949C32
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D1F92 3_2_018D1F92
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198FFB1 3_2_0198FFB1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01893FD2 3_2_01893FD2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01893FD5 3_2_01893FD5
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198FF09 3_2_0198FF09
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D9EB0 3_2_018D9EB0
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7C232 4_2_0EF7C232
Source: C:\Windows\explorer.exe Code function: 4_2_0EF76B32 4_2_0EF76B32
Source: C:\Windows\explorer.exe Code function: 4_2_0EF76B30 4_2_0EF76B30
Source: C:\Windows\explorer.exe Code function: 4_2_0EF72082 4_2_0EF72082
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7B036 4_2_0EF7B036
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7F5CD 4_2_0EF7F5CD
Source: C:\Windows\explorer.exe Code function: 4_2_0EF79912 4_2_0EF79912
Source: C:\Windows\explorer.exe Code function: 4_2_0EF73D02 4_2_0EF73D02
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002CC803 5_2_002CC803
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002AF0DB 5_2_002AF0DB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002A5950 5_2_002A5950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002BFCE7 5_2_002BFCE7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B4702 5_2_002B4702
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C2FD3 5_2_002C2FD3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D0535 5_2_050D0535
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05187571 5_2_05187571
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05190591 5_2_05190591
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0516D5B0 5_2_0516D5B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518F43F 5_2_0518F43F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05182446 5_2_05182446
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050C1460 5_2_050C1460
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0517E4F6 5_2_0517E4F6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050F4750 5_2_050F4750
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D0770 5_2_050D0770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518F7B0 5_2_0518F7B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050CC7C0 5_2_050CC7C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051816CC 5_2_051816CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050EC6E0 5_2_050EC6E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050C0100 5_2_050C0100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0516A118 5_2_0516A118
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05158158 5_2_05158158
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0519B16B 5_2_0519B16B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050BF172 5_2_050BF172
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0510516C 5_2_0510516C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051901AA 5_2_051901AA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050DB1B0 5_2_050DB1B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051881CC 5_2_051881CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D70C0 5_2_050D70C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0517F0CC 5_2_0517F0CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051870E9 5_2_051870E9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518F0E0 5_2_0518F0E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518132D 5_2_0518132D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050BD34C 5_2_050BD34C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518A352 5_2_0518A352
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0511739A 5_2_0511739A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050DE3F0 5_2_050DE3F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051903E6 5_2_051903E6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05170274 5_2_05170274
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D52A0 5_2_050D52A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050EB2C0 5_2_050EB2C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051502C0 5_2_051502C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_051712ED 5_2_051712ED
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050DAD00 5_2_050DAD00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05181D5A 5_2_05181D5A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D3D40 5_2_050D3D40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05187D73 5_2_05187D73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050E8DBF 5_2_050E8DBF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050EFDC0 5_2_050EFDC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050CADE0 5_2_050CADE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D0C00 5_2_050D0C00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05149C32 5_2_05149C32
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05170CB5 5_2_05170CB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518FCF2 5_2_0518FCF2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050C0CF2 5_2_050C0CF2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518FF09 5_2_0518FF09
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05112F28 5_2_05112F28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050F0F30 5_2_050F0F30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05144F40 5_2_05144F40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D1F92 5_2_050D1F92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518FFB1 5_2_0518FFB1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0514EFA0 5_2_0514EFA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050C2FC8 5_2_050C2FC8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05093FD2 5_2_05093FD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05093FD5 5_2_05093FD5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050DCFE0 5_2_050DCFE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518EE26 5_2_0518EE26
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D0E59 5_2_050D0E59
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518CE93 5_2_0518CE93
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050E2E90 5_2_050E2E90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D9EB0 5_2_050D9EB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518EEDB 5_2_0518EEDB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D9950 5_2_050D9950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050EB950 5_2_050EB950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050E6962 5_2_050E6962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D29A0 5_2_050D29A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0519A9A6 5_2_0519A9A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0513D800 5_2_0513D800
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D2840 5_2_050D2840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050DA840 5_2_050DA840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050B68B8 5_2_050B68B8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050D38E0 5_2_050D38E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050FE8F0 5_2_050FE8F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518AB40 5_2_0518AB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518FB76 5_2_0518FB76
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050EFB80 5_2_050EFB80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05186BD7 5_2_05186BD7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05145BF0 5_2_05145BF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0510DBF9 5_2_0510DBF9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0518FA49 5_2_0518FA49
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05187A46 5_2_05187A46
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05143A6C 5_2_05143A6C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_050CEA80 5_2_050CEA80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_05115AA0 5_2_05115AA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0516DAAC 5_2_0516DAAC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0517DAC6 5_2_0517DAC6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E8EB49 5_2_02E8EB49
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E79E4B 5_2_02E79E4B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E79E50 5_2_02E79E50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E72FB0 5_2_02E72FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_02E72D90 5_2_02E72D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DDA036 5_2_04DDA036
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DDE5CD 5_2_04DDE5CD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD2D02 5_2_04DD2D02
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD1082 5_2_04DD1082
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD8912 5_2_04DD8912
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DDB232 5_2_04DDB232
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD5B30 5_2_04DD5B30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04DD5B32 5_2_04DD5B32
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 002CE523 appears 31 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 05117E54 appears 96 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 002919DB appears 34 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 05105130 appears 36 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 050BB970 appears 272 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0513EA12 appears 86 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 002999E8 appears 891 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0514F290 appears 105 times
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: String function: 018BB970 appears 280 times
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: String function: 0194F290 appears 105 times
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: String function: 01917E54 appears 111 times
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: String function: 0193EA12 appears 86 times
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: String function: 01905130 appears 58 times
Sample file is different than original file name gathered from version info
Source: DOC_PDF.exe, 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000000.00000000.2031155338.0000000000F68000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemJGu.exe> vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000000.00000002.2065517443.00000000082B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000003.00000002.2102921676.00000000019BD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DOC_PDF.exe
Source: DOC_PDF.exe Binary or memory string: OriginalFilenamemJGu.exe> vs DOC_PDF.exe
Uses 32bit PE files
Source: DOC_PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4519710590.0000000010520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: DOC_PDF.exe PID: 5740, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 4320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: DOC_PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: _0020.SetAccessControl
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: _0020.AddAccessRule
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: _0020.SetAccessControl
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs Security API names: _0020.AddAccessRule
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kaGBmd7IL3A7gie4gL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kaGBmd7IL3A7gie4gL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@11/0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C2826 VariantInit,CoCreateInstance,SysFreeString,SysStringLen,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetLastError,VariantClear,CreateStreamOnHGlobal,VariantClear,GetProcessHeap,HeapFree,SysFreeString, 5_2_002C2826
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C1DB3 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree, 5_2_002C1DB3
Source: C:\Users\user\Desktop\DOC_PDF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOC_PDF.exe.log Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Mutant created: NULL
Source: C:\Users\user\Desktop\DOC_PDF.exe Mutant created: \Sessions\1\BaseNamedObjects\quRFdtlEfmViPotvOfS
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: DOC_PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DOC_PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DOC_PDF.exe ReversingLabs: Detection: 58%
Source: unknown Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Users\user\Desktop\DOC_PDF.exe Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC_PDF.exe Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DOC_PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DOC_PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: DOC_PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msdt.pdbGCTL source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DOC_PDF.exe, DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mJGu.pdb source: DOC_PDF.exe
Source: Binary string: mJGu.pdbSHA256 source: DOC_PDF.exe
Source: Binary string: msdt.pdb source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: DOC_PDF.exe, MainForm.cs .Net Code: InitializeComponent
Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs .Net Code: nOS8QND6g2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs .Net Code: nOS8QND6g2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 4.2.explorer.exe.10aff840.0.raw.unpack, MainForm.cs .Net Code: InitializeComponent
Source: 5.2.msdt.exe.55df840.3.raw.unpack, MainForm.cs .Net Code: InitializeComponent
Binary contains a suspicious time stamp
Source: DOC_PDF.exe Static PE information: 0xCCFF9492 [Mon Dec 26 17:36:18 2078 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 0_2_033BEB08 pushfd ; iretd 0_2_033BEB09
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041E03F push F69B27B4h; ret 3_2_0041E044
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004169E1 push cs; ret 3_2_00416A1B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00416996 push cs; ret 3_2_00416A1B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004179BE push esp; ret 3_2_004179C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041645D push 22047084h; ret 3_2_00416462
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D475 push eax; ret 3_2_0041D4C8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D4C2 push eax; ret 3_2_0041D4C8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D4CB push eax; ret 3_2_0041D532
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041D52C push eax; ret 3_2_0041D532
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004035C8 push esi; iretd 3_2_004035CF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004175A0 pushfd ; iretd 3_2_004175B5
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0041DE4A push ebp; iretd 3_2_0041DE52
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004176EF push cs; ret 3_2_004176D4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_004176A1 push cs; ret 3_2_004176D4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0189225F pushad ; ret 3_2_018927F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018927FA pushad ; ret 3_2_018927F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C09AD push ecx; mov dword ptr [esp], ecx 3_2_018C09B6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0189283D push eax; iretd 3_2_01892858
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01891200 push eax; iretd 3_2_01891369
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7FB1E push esp; retn 0000h 4_2_0EF7FB1F
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7FB02 push esp; retn 0000h 4_2_0EF7FB03
Source: C:\Windows\explorer.exe Code function: 4_2_0EF7F9B5 push esp; retn 0000h 4_2_0EF7FAE7
Source: C:\Windows\explorer.exe Code function: 4_2_10403873 push eax; ret 4_2_10403874
Source: C:\Windows\explorer.exe Code function: 4_2_10401E74 push ecx; iretd 4_2_10401E76
Source: C:\Windows\explorer.exe Code function: 4_2_10401C10 push edi; ret 4_2_10401C2B
Source: C:\Windows\explorer.exe Code function: 4_2_1040322C push edi; retf 4_2_104032AF
Source: C:\Windows\explorer.exe Code function: 4_2_10403288 push edi; retf 4_2_104032AF
Source: C:\Windows\explorer.exe Code function: 4_2_10402E94 push ebx; iretd 4_2_10402F30
Source: C:\Windows\explorer.exe Code function: 4_2_10403346 push esi; retf 4_2_1040334F
Source: C:\Windows\explorer.exe Code function: 4_2_10401D48 push 90F076E7h; ret 4_2_10401D4D
Source: DOC_PDF.exe Static PE information: section name: .text entropy: 7.806630339806879
Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kaGBmd7IL3A7gie4gL.cs High entropy of concatenated method names: 'TshlAjPJZL', 'j76lE2RSAa', 'eIMl1XYK80', 'Fd4lNyhLyG', 'wAUlmG9fX2', 'pPElj6AcSC', 'Y5Ylw0Wtyu', 'uKjlYEWN24', 'kLFlJWw8t9', 'ATXlaECreM'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs High entropy of concatenated method names: 'e3vBXHLhG2', 'w0cBHQfGWy', 'TpjBlvWHH9', 'AjgBRVEYuF', 'VuOBclPojZ', 'ytDBCXcePX', 'nrhBO8Ks68', 'nA2B4wDg8Y', 'lyOBho3X1n', 'VFaBfUIfsD'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, ja0FrxTKZaBXr6wtsN.cs High entropy of concatenated method names: 'CatOH9nCgp', 'dPROR5TW6W', 'u2COCEFQNH', 'QqoCamf6I8', 'm5oCzA6a2K', 'yHyOkajt58', 'Lj3OqQ1lJv', 'Ik0O6YEeGi', 'YxVOBOg1Yo', 'JCkO8mIlEL'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, QCtMcHNdkjLmfehFJJ.cs High entropy of concatenated method names: 'LxUiftudFk', 'Uwui5STqaE', 'ToString', 'wSHiHHxApx', 'JZvil9Lr4K', 'pcMiR3CtIY', 'nDxic5fSo2', 'fIZiCSEmQD', 'wjEiOH2ZwF', 'rydi4W70NF'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, MITUhauvnfmoykYTqq.cs High entropy of concatenated method names: 'hWnO9tR90Z', 'RPlOg7Voll', 'J9jOQPsWsn', 'T23OtqHiVh', 'zIuOdy1osa', 'phdOvddFVE', 'P8FO0nHDu7', 'bEcO7i7q7G', 'LLVOMUN1jj', 'aQBOGBVTyC'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, jbhZerAV999bCjLvh3.cs High entropy of concatenated method names: 'w3RnSxZMX5', 'T9inUwcilY', 'g1nnAXwSyP', 'i6QnEAtd6e', 'pyXnWEaM6S', 'YMGnK9711T', 'PD7nD4vgHd', 'UCinVGNKMe', 'fWonrTE6P6', 'GrgnTaXEJA'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, nDVKwsqkqtbqtimbRvH.cs High entropy of concatenated method names: 'sSfs9dymTW', 'vCnsgwsXcC', 'v8qsQ1k50b', 'C5VstNy2Yv', 'WAosd4ZixB', 'fi6svf6QLU', 'Ccts0tH9qd', 'q2Vs7LHjt7', 'UtosMyQu2T', 'R9RsGDG15n'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, mi2vS06JFYcge8cJoT.cs High entropy of concatenated method names: 'ijyQtGxoP', 'uSYtDj0yv', 'MSLvDqLnx', 'D5s0GKYi3', 'XOGMWJnxB', 'yyuGEf5Mo', 'SyCbsdWr4WpbHsjmj1', 'zfUAZl5hcdC1RcJBJV', 'UuXPhQTpr', 'wytbM9heC'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, HAFWCwl0wYV1TKc6JB.cs High entropy of concatenated method names: 'Dispose', 'Ps5qJehSOS', 'T4V6WWT0UJ', 'Ilpggpho9I', 'VSSqabGYCi', 'LNJqzvf3qI', 'ProcessDialogKey', 'UYs6kYnkvU', 'rWf6qBSvcp', 'SeR66Xsw2P'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kRiFjiqqm6lUi7TpIZ9.cs High entropy of concatenated method names: 'ToString', 'eMIbBhtbg0', 'idjb8DwYql', 'zAybXfgVfo', 'ge8bHQPAwJ', 'IngblQd15S', 'Q6gbRNcssi', 'EyTbck6T4h', 'l40YXvAO2OtCux7W14Z', 'xDiS9TA1nnTpNBLwbct'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, Sq34kgFFB7d6NqHHEk.cs High entropy of concatenated method names: 'Mixp7T4cIq', 'L8rpM1upqb', 'QTIpZebKrr', 'zsCpWOKuJd', 'KSNpDCEHAo', 'BQcpVw1bSP', 'scUpT7cJrx', 'wZBpxRubdw', 'vn4pSEjnsi', 'ND1pyb9UbZ'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, NSbGYCYiTNJvf3qImY.cs High entropy of concatenated method names: 'khwPHJhNnf', 'QxWPlNFEAX', 'SjRPRxjb29', 'aitPcykvf3', 'pyCPCsZfUD', 'ekdPO14mIS', 'OJiP4iMxIm', 'HdSPhkGV1Q', 'abmPffKnHW', 'f47P5mgPgG'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, uvx5IhqBbtBJdXBT7hK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bl4bAUGNvl', 'S3HbE2Js6j', 'G1Xb1PFgEf', 'ARBbNh4dxo', 'JZibmRtShS', 'N0hbjCneJn', 'SM5bwaJ18E'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, FeJObWZn6B0YmoJaZH.cs High entropy of concatenated method names: 'xmOCXGf5FG', 'UgWClyfWkp', 'BHwCc6lkFI', 'jf3CORu9QE', 'nfxC41hJ71', 'a0Jcmkgssr', 'dZFcjBbHTM', 'DxEcw0OJY5', 'NPMcYgFQoR', 'TumcJnyDaE'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, XSjCJsG9WsDXjdgYs9.cs High entropy of concatenated method names: 'NwGcdX8s03', 'Jtlc033kFB', 'h7vRKKN01u', 'c0FRDS2AAw', 'DTERVSwtNq', 'zVURrDe8DM', 'yToRTPCb7p', 'RpGRxA1t6j', 'fUpRuXm3Lt', 't8ORSMxOMH'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, GmQJ8Dq67Fj8S6cvP8x.cs High entropy of concatenated method names: 'I60b9FPtXc', 'Lf6bgiy0Mq', 'UZvbQ0C6q6', 'u5fJj2AtbFwQBGJcXeC', 'JHO1soAaucEYu1v7Od4', 'LJGpQiAHXo2TuJeCodh', 'rVSQtuACZ08U3j52EMQ', 'Dl6kigA0lYk3q3ZOJ6l'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, LS0I0oM0IRdNrt8PB6.cs High entropy of concatenated method names: 'IbZRtHId8b', 'q1IRvMDyWH', 'sCrR7GLJar', 'gRsRM8rv8w', 'EBGRnSVkWY', 'I77ReeVg1e', 'M3ORiJ5a1l', 'pgTRPlvF1i', 'XSIRs0W2TK', 'pQERbhS9cW'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, rYnkvUJPWfBSvcpEeR.cs High entropy of concatenated method names: 'YxiPZERhUi', 'PuQPW0TP22', 'N3lPKAZtn4', 'miVPD8dRdO', 'JpRPAVBAbh', 'WlNPVXib1h', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, xw56Ae8FFfYwaKqXtX.cs High entropy of concatenated method names: 'Vv4qOaGBmd', 'wL3q4A7gie', 'v0IqfRdNrt', 'ePBq56YSjC', 'AgYqns9GeJ', 'jbWqen6B0Y', 'v4idR4zXiNZshdJNAB', 'vpBqOeKNk5ZbQgDOPW8', 'QdGqqvYUmS', 'BpiqB03wkB'
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kaGBmd7IL3A7gie4gL.cs High entropy of concatenated method names: 'TshlAjPJZL', 'j76lE2RSAa', 'eIMl1XYK80', 'Fd4lNyhLyG', 'wAUlmG9fX2', 'pPElj6AcSC', 'Y5Ylw0Wtyu', 'uKjlYEWN24', 'kLFlJWw8t9', 'ATXlaECreM'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs High entropy of concatenated method names: 'e3vBXHLhG2', 'w0cBHQfGWy', 'TpjBlvWHH9', 'AjgBRVEYuF', 'VuOBclPojZ', 'ytDBCXcePX', 'nrhBO8Ks68', 'nA2B4wDg8Y', 'lyOBho3X1n', 'VFaBfUIfsD'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, ja0FrxTKZaBXr6wtsN.cs High entropy of concatenated method names: 'CatOH9nCgp', 'dPROR5TW6W', 'u2COCEFQNH', 'QqoCamf6I8', 'm5oCzA6a2K', 'yHyOkajt58', 'Lj3OqQ1lJv', 'Ik0O6YEeGi', 'YxVOBOg1Yo', 'JCkO8mIlEL'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, QCtMcHNdkjLmfehFJJ.cs High entropy of concatenated method names: 'LxUiftudFk', 'Uwui5STqaE', 'ToString', 'wSHiHHxApx', 'JZvil9Lr4K', 'pcMiR3CtIY', 'nDxic5fSo2', 'fIZiCSEmQD', 'wjEiOH2ZwF', 'rydi4W70NF'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, MITUhauvnfmoykYTqq.cs High entropy of concatenated method names: 'hWnO9tR90Z', 'RPlOg7Voll', 'J9jOQPsWsn', 'T23OtqHiVh', 'zIuOdy1osa', 'phdOvddFVE', 'P8FO0nHDu7', 'bEcO7i7q7G', 'LLVOMUN1jj', 'aQBOGBVTyC'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, jbhZerAV999bCjLvh3.cs High entropy of concatenated method names: 'w3RnSxZMX5', 'T9inUwcilY', 'g1nnAXwSyP', 'i6QnEAtd6e', 'pyXnWEaM6S', 'YMGnK9711T', 'PD7nD4vgHd', 'UCinVGNKMe', 'fWonrTE6P6', 'GrgnTaXEJA'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, nDVKwsqkqtbqtimbRvH.cs High entropy of concatenated method names: 'sSfs9dymTW', 'vCnsgwsXcC', 'v8qsQ1k50b', 'C5VstNy2Yv', 'WAosd4ZixB', 'fi6svf6QLU', 'Ccts0tH9qd', 'q2Vs7LHjt7', 'UtosMyQu2T', 'R9RsGDG15n'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, mi2vS06JFYcge8cJoT.cs High entropy of concatenated method names: 'ijyQtGxoP', 'uSYtDj0yv', 'MSLvDqLnx', 'D5s0GKYi3', 'XOGMWJnxB', 'yyuGEf5Mo', 'SyCbsdWr4WpbHsjmj1', 'zfUAZl5hcdC1RcJBJV', 'UuXPhQTpr', 'wytbM9heC'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, HAFWCwl0wYV1TKc6JB.cs High entropy of concatenated method names: 'Dispose', 'Ps5qJehSOS', 'T4V6WWT0UJ', 'Ilpggpho9I', 'VSSqabGYCi', 'LNJqzvf3qI', 'ProcessDialogKey', 'UYs6kYnkvU', 'rWf6qBSvcp', 'SeR66Xsw2P'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kRiFjiqqm6lUi7TpIZ9.cs High entropy of concatenated method names: 'ToString', 'eMIbBhtbg0', 'idjb8DwYql', 'zAybXfgVfo', 'ge8bHQPAwJ', 'IngblQd15S', 'Q6gbRNcssi', 'EyTbck6T4h', 'l40YXvAO2OtCux7W14Z', 'xDiS9TA1nnTpNBLwbct'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, Sq34kgFFB7d6NqHHEk.cs High entropy of concatenated method names: 'Mixp7T4cIq', 'L8rpM1upqb', 'QTIpZebKrr', 'zsCpWOKuJd', 'KSNpDCEHAo', 'BQcpVw1bSP', 'scUpT7cJrx', 'wZBpxRubdw', 'vn4pSEjnsi', 'ND1pyb9UbZ'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, NSbGYCYiTNJvf3qImY.cs High entropy of concatenated method names: 'khwPHJhNnf', 'QxWPlNFEAX', 'SjRPRxjb29', 'aitPcykvf3', 'pyCPCsZfUD', 'ekdPO14mIS', 'OJiP4iMxIm', 'HdSPhkGV1Q', 'abmPffKnHW', 'f47P5mgPgG'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, uvx5IhqBbtBJdXBT7hK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bl4bAUGNvl', 'S3HbE2Js6j', 'G1Xb1PFgEf', 'ARBbNh4dxo', 'JZibmRtShS', 'N0hbjCneJn', 'SM5bwaJ18E'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, FeJObWZn6B0YmoJaZH.cs High entropy of concatenated method names: 'xmOCXGf5FG', 'UgWClyfWkp', 'BHwCc6lkFI', 'jf3CORu9QE', 'nfxC41hJ71', 'a0Jcmkgssr', 'dZFcjBbHTM', 'DxEcw0OJY5', 'NPMcYgFQoR', 'TumcJnyDaE'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, XSjCJsG9WsDXjdgYs9.cs High entropy of concatenated method names: 'NwGcdX8s03', 'Jtlc033kFB', 'h7vRKKN01u', 'c0FRDS2AAw', 'DTERVSwtNq', 'zVURrDe8DM', 'yToRTPCb7p', 'RpGRxA1t6j', 'fUpRuXm3Lt', 't8ORSMxOMH'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, GmQJ8Dq67Fj8S6cvP8x.cs High entropy of concatenated method names: 'I60b9FPtXc', 'Lf6bgiy0Mq', 'UZvbQ0C6q6', 'u5fJj2AtbFwQBGJcXeC', 'JHO1soAaucEYu1v7Od4', 'LJGpQiAHXo2TuJeCodh', 'rVSQtuACZ08U3j52EMQ', 'Dl6kigA0lYk3q3ZOJ6l'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, LS0I0oM0IRdNrt8PB6.cs High entropy of concatenated method names: 'IbZRtHId8b', 'q1IRvMDyWH', 'sCrR7GLJar', 'gRsRM8rv8w', 'EBGRnSVkWY', 'I77ReeVg1e', 'M3ORiJ5a1l', 'pgTRPlvF1i', 'XSIRs0W2TK', 'pQERbhS9cW'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, rYnkvUJPWfBSvcpEeR.cs High entropy of concatenated method names: 'YxiPZERhUi', 'PuQPW0TP22', 'N3lPKAZtn4', 'miVPD8dRdO', 'JpRPAVBAbh', 'WlNPVXib1h', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, xw56Ae8FFfYwaKqXtX.cs High entropy of concatenated method names: 'Vv4qOaGBmd', 'wL3q4A7gie', 'v0IqfRdNrt', 'ePBq56YSjC', 'AgYqns9GeJ', 'jbWqen6B0Y', 'v4idR4zXiNZshdJNAB', 'vpBqOeKNk5ZbQgDOPW8', 'QdGqqvYUmS', 'BpiqB03wkB'
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE1
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\DOC_PDF.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DOC_PDF.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DOC_PDF.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 2E79904 second address: 2E7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 2E79B6E second address: 2E79B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 16C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 33D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 3240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 84A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 94A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: 9660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: A660000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DOC_PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9850 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 891 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 861 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 5375 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 4596 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DOC_PDF.exe API coverage: 1.6 %
Source: C:\Windows\SysWOW64\msdt.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DOC_PDF.exe TID: 6256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180 Thread sleep count: 9850 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180 Thread sleep time: -19700000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180 Thread sleep time: -192000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 5_2_002B602D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002C60A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B1B92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002B5C20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002C743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_002C743A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B4CB6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 5_2_002B4EDC
Source: C:\Users\user\Desktop\DOC_PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000004.00000000.2058647031.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4506643376.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\DOC_PDF.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DOC_PDF.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0040ACE0 LdrLoadDll, 3_2_0040ACE0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002A0FA2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 5_2_002A0FA2
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h] 3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h] 3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h] 3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h] 3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01900185 mov eax, dword ptr fs:[00000030h] 3_2_01900185
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01964180 mov eax, dword ptr fs:[00000030h] 3_2_01964180
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01964180 mov eax, dword ptr fs:[00000030h] 3_2_01964180
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h] 3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h] 3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h] 3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197C188 mov eax, dword ptr fs:[00000030h] 3_2_0197C188
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197C188 mov eax, dword ptr fs:[00000030h] 3_2_0197C188
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E1D0 mov ecx, dword ptr fs:[00000030h] 3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019861C3 mov eax, dword ptr fs:[00000030h] 3_2_019861C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019861C3 mov eax, dword ptr fs:[00000030h] 3_2_019861C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F01F8 mov eax, dword ptr fs:[00000030h] 3_2_018F01F8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019961E5 mov eax, dword ptr fs:[00000030h] 3_2_019961E5
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01980115 mov eax, dword ptr fs:[00000030h] 3_2_01980115
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196A118 mov ecx, dword ptr fs:[00000030h] 3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h] 3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h] 3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h] 3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h] 3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F0124 mov eax, dword ptr fs:[00000030h] 3_2_018F0124
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01958158 mov eax, dword ptr fs:[00000030h] 3_2_01958158
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h] 3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h] 3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01954144 mov ecx, dword ptr fs:[00000030h] 3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h] 3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h] 3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C6154 mov eax, dword ptr fs:[00000030h] 3_2_018C6154
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C6154 mov eax, dword ptr fs:[00000030h] 3_2_018C6154
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BC156 mov eax, dword ptr fs:[00000030h] 3_2_018BC156
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994164 mov eax, dword ptr fs:[00000030h] 3_2_01994164
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994164 mov eax, dword ptr fs:[00000030h] 3_2_01994164
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C208A mov eax, dword ptr fs:[00000030h] 3_2_018C208A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019860B8 mov eax, dword ptr fs:[00000030h] 3_2_019860B8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019860B8 mov ecx, dword ptr fs:[00000030h] 3_2_019860B8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B80A0 mov eax, dword ptr fs:[00000030h] 3_2_018B80A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019580A8 mov eax, dword ptr fs:[00000030h] 3_2_019580A8
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019420DE mov eax, dword ptr fs:[00000030h] 3_2_019420DE
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019020F0 mov ecx, dword ptr fs:[00000030h] 3_2_019020F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C80E9 mov eax, dword ptr fs:[00000030h] 3_2_018C80E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA0E3 mov ecx, dword ptr fs:[00000030h] 3_2_018BA0E3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019460E0 mov eax, dword ptr fs:[00000030h] 3_2_019460E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BC0F0 mov eax, dword ptr fs:[00000030h] 3_2_018BC0F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01944000 mov ecx, dword ptr fs:[00000030h] 3_2_01944000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h] 3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h] 3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h] 3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h] 3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h] 3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956030 mov eax, dword ptr fs:[00000030h] 3_2_01956030
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA020 mov eax, dword ptr fs:[00000030h] 3_2_018BA020
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BC020 mov eax, dword ptr fs:[00000030h] 3_2_018BC020
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946050 mov eax, dword ptr fs:[00000030h] 3_2_01946050
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C2050 mov eax, dword ptr fs:[00000030h] 3_2_018C2050
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EC073 mov eax, dword ptr fs:[00000030h] 3_2_018EC073
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E438F mov eax, dword ptr fs:[00000030h] 3_2_018E438F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E438F mov eax, dword ptr fs:[00000030h] 3_2_018E438F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h] 3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h] 3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h] 3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h] 3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h] 3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h] 3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019643D4 mov eax, dword ptr fs:[00000030h] 3_2_019643D4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019643D4 mov eax, dword ptr fs:[00000030h] 3_2_019643D4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h] 3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h] 3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h] 3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h] 3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h] 3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h] 3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h] 3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E3DB mov ecx, dword ptr fs:[00000030h] 3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h] 3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019463C0 mov eax, dword ptr fs:[00000030h] 3_2_019463C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197C3CD mov eax, dword ptr fs:[00000030h] 3_2_0197C3CD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h] 3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F63FF mov eax, dword ptr fs:[00000030h] 3_2_018F63FF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h] 3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h] 3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h] 3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h] 3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h] 3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h] 3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BC310 mov ecx, dword ptr fs:[00000030h] 3_2_018BC310
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E0310 mov ecx, dword ptr fs:[00000030h] 3_2_018E0310
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h] 3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01998324 mov ecx, dword ptr fs:[00000030h] 3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h] 3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h] 3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01968350 mov ecx, dword ptr fs:[00000030h] 3_2_01968350
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov ecx, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h] 3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198A352 mov eax, dword ptr fs:[00000030h] 3_2_0198A352
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0199634F mov eax, dword ptr fs:[00000030h] 3_2_0199634F
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h] 3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196437C mov eax, dword ptr fs:[00000030h] 3_2_0196437C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE284 mov eax, dword ptr fs:[00000030h] 3_2_018FE284
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE284 mov eax, dword ptr fs:[00000030h] 3_2_018FE284
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h] 3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h] 3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h] 3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D02A0 mov eax, dword ptr fs:[00000030h] 3_2_018D02A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D02A0 mov eax, dword ptr fs:[00000030h] 3_2_018D02A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov ecx, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h] 3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h] 3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h] 3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h] 3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h] 3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h] 3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019962D6 mov eax, dword ptr fs:[00000030h] 3_2_019962D6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h] 3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h] 3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h] 3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B823B mov eax, dword ptr fs:[00000030h] 3_2_018B823B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0199625D mov eax, dword ptr fs:[00000030h] 3_2_0199625D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197A250 mov eax, dword ptr fs:[00000030h] 3_2_0197A250
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197A250 mov eax, dword ptr fs:[00000030h] 3_2_0197A250
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C6259 mov eax, dword ptr fs:[00000030h] 3_2_018C6259
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01948243 mov eax, dword ptr fs:[00000030h] 3_2_01948243
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01948243 mov ecx, dword ptr fs:[00000030h] 3_2_01948243
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BA250 mov eax, dword ptr fs:[00000030h] 3_2_018BA250
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B826B mov eax, dword ptr fs:[00000030h] 3_2_018B826B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h] 3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h] 3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h] 3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h] 3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F4588 mov eax, dword ptr fs:[00000030h] 3_2_018F4588
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C2582 mov eax, dword ptr fs:[00000030h] 3_2_018C2582
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C2582 mov ecx, dword ptr fs:[00000030h] 3_2_018C2582
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE59C mov eax, dword ptr fs:[00000030h] 3_2_018FE59C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h] 3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h] 3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h] 3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E45B1 mov eax, dword ptr fs:[00000030h] 3_2_018E45B1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E45B1 mov eax, dword ptr fs:[00000030h] 3_2_018E45B1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE5CF mov eax, dword ptr fs:[00000030h] 3_2_018FE5CF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE5CF mov eax, dword ptr fs:[00000030h] 3_2_018FE5CF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C65D0 mov eax, dword ptr fs:[00000030h] 3_2_018C65D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA5D0 mov eax, dword ptr fs:[00000030h] 3_2_018FA5D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA5D0 mov eax, dword ptr fs:[00000030h] 3_2_018FA5D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC5ED mov eax, dword ptr fs:[00000030h] 3_2_018FC5ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC5ED mov eax, dword ptr fs:[00000030h] 3_2_018FC5ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C25E0 mov eax, dword ptr fs:[00000030h] 3_2_018C25E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956500 mov eax, dword ptr fs:[00000030h] 3_2_01956500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h] 3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h] 3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h] 3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h] 3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h] 3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h] 3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h] 3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8550 mov eax, dword ptr fs:[00000030h] 3_2_018C8550
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8550 mov eax, dword ptr fs:[00000030h] 3_2_018C8550
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h] 3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h] 3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h] 3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197A49A mov eax, dword ptr fs:[00000030h] 3_2_0197A49A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194A4B0 mov eax, dword ptr fs:[00000030h] 3_2_0194A4B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C64AB mov eax, dword ptr fs:[00000030h] 3_2_018C64AB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F44B0 mov ecx, dword ptr fs:[00000030h] 3_2_018F44B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C04E5 mov ecx, dword ptr fs:[00000030h] 3_2_018C04E5
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h] 3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h] 3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h] 3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h] 3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h] 3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h] 3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BC427 mov eax, dword ptr fs:[00000030h] 3_2_018BC427
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h] 3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA430 mov eax, dword ptr fs:[00000030h] 3_2_018FA430
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0197A456 mov eax, dword ptr fs:[00000030h] 3_2_0197A456
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h] 3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E245A mov eax, dword ptr fs:[00000030h] 3_2_018E245A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B645D mov eax, dword ptr fs:[00000030h] 3_2_018B645D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194C460 mov ecx, dword ptr fs:[00000030h] 3_2_0194C460
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h] 3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h] 3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h] 3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196678E mov eax, dword ptr fs:[00000030h] 3_2_0196678E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C07AF mov eax, dword ptr fs:[00000030h] 3_2_018C07AF
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019747A0 mov eax, dword ptr fs:[00000030h] 3_2_019747A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CC7C0 mov eax, dword ptr fs:[00000030h] 3_2_018CC7C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019407C3 mov eax, dword ptr fs:[00000030h] 3_2_019407C3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h] 3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h] 3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h] 3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194E7E1 mov eax, dword ptr fs:[00000030h] 3_2_0194E7E1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C47FB mov eax, dword ptr fs:[00000030h] 3_2_018C47FB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C47FB mov eax, dword ptr fs:[00000030h] 3_2_018C47FB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC700 mov eax, dword ptr fs:[00000030h] 3_2_018FC700
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0710 mov eax, dword ptr fs:[00000030h] 3_2_018C0710
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F0710 mov eax, dword ptr fs:[00000030h] 3_2_018F0710
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193C730 mov eax, dword ptr fs:[00000030h] 3_2_0193C730
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC720 mov eax, dword ptr fs:[00000030h] 3_2_018FC720
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC720 mov eax, dword ptr fs:[00000030h] 3_2_018FC720
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F273C mov eax, dword ptr fs:[00000030h] 3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F273C mov ecx, dword ptr fs:[00000030h] 3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F273C mov eax, dword ptr fs:[00000030h] 3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902750 mov eax, dword ptr fs:[00000030h] 3_2_01902750
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902750 mov eax, dword ptr fs:[00000030h] 3_2_01902750
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01944755 mov eax, dword ptr fs:[00000030h] 3_2_01944755
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F674D mov esi, dword ptr fs:[00000030h] 3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F674D mov eax, dword ptr fs:[00000030h] 3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F674D mov eax, dword ptr fs:[00000030h] 3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194E75D mov eax, dword ptr fs:[00000030h] 3_2_0194E75D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0750 mov eax, dword ptr fs:[00000030h] 3_2_018C0750
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8770 mov eax, dword ptr fs:[00000030h] 3_2_018C8770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h] 3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4690 mov eax, dword ptr fs:[00000030h] 3_2_018C4690
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4690 mov eax, dword ptr fs:[00000030h] 3_2_018C4690
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC6A6 mov eax, dword ptr fs:[00000030h] 3_2_018FC6A6
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F66B0 mov eax, dword ptr fs:[00000030h] 3_2_018F66B0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA6C7 mov ebx, dword ptr fs:[00000030h] 3_2_018FA6C7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA6C7 mov eax, dword ptr fs:[00000030h] 3_2_018FA6C7
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019406F1 mov eax, dword ptr fs:[00000030h] 3_2_019406F1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019406F1 mov eax, dword ptr fs:[00000030h] 3_2_019406F1
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h] 3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01902619 mov eax, dword ptr fs:[00000030h] 3_2_01902619
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E609 mov eax, dword ptr fs:[00000030h] 3_2_0193E609
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C262C mov eax, dword ptr fs:[00000030h] 3_2_018C262C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DE627 mov eax, dword ptr fs:[00000030h] 3_2_018DE627
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F6620 mov eax, dword ptr fs:[00000030h] 3_2_018F6620
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F8620 mov eax, dword ptr fs:[00000030h] 3_2_018F8620
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018DC640 mov eax, dword ptr fs:[00000030h] 3_2_018DC640
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA660 mov eax, dword ptr fs:[00000030h] 3_2_018FA660
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA660 mov eax, dword ptr fs:[00000030h] 3_2_018FA660
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198866E mov eax, dword ptr fs:[00000030h] 3_2_0198866E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198866E mov eax, dword ptr fs:[00000030h] 3_2_0198866E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F2674 mov eax, dword ptr fs:[00000030h] 3_2_018F2674
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C09AD mov eax, dword ptr fs:[00000030h] 3_2_018C09AD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C09AD mov eax, dword ptr fs:[00000030h] 3_2_018C09AD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019489B3 mov esi, dword ptr fs:[00000030h] 3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019489B3 mov eax, dword ptr fs:[00000030h] 3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019489B3 mov eax, dword ptr fs:[00000030h] 3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h] 3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198A9D3 mov eax, dword ptr fs:[00000030h] 3_2_0198A9D3
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019569C0 mov eax, dword ptr fs:[00000030h] 3_2_019569C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h] 3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F49D0 mov eax, dword ptr fs:[00000030h] 3_2_018F49D0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194E9E0 mov eax, dword ptr fs:[00000030h] 3_2_0194E9E0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F29F9 mov eax, dword ptr fs:[00000030h] 3_2_018F29F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F29F9 mov eax, dword ptr fs:[00000030h] 3_2_018F29F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194C912 mov eax, dword ptr fs:[00000030h] 3_2_0194C912
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8918 mov eax, dword ptr fs:[00000030h] 3_2_018B8918
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8918 mov eax, dword ptr fs:[00000030h] 3_2_018B8918
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E908 mov eax, dword ptr fs:[00000030h] 3_2_0193E908
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193E908 mov eax, dword ptr fs:[00000030h] 3_2_0193E908
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194892A mov eax, dword ptr fs:[00000030h] 3_2_0194892A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0195892B mov eax, dword ptr fs:[00000030h] 3_2_0195892B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01940946 mov eax, dword ptr fs:[00000030h] 3_2_01940946
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994940 mov eax, dword ptr fs:[00000030h] 3_2_01994940
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194C97C mov eax, dword ptr fs:[00000030h] 3_2_0194C97C
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h] 3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h] 3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h] 3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01964978 mov eax, dword ptr fs:[00000030h] 3_2_01964978
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01964978 mov eax, dword ptr fs:[00000030h] 3_2_01964978
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0190096E mov eax, dword ptr fs:[00000030h] 3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0190096E mov edx, dword ptr fs:[00000030h] 3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0190096E mov eax, dword ptr fs:[00000030h] 3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194C89D mov eax, dword ptr fs:[00000030h] 3_2_0194C89D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0887 mov eax, dword ptr fs:[00000030h] 3_2_018C0887
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EE8C0 mov eax, dword ptr fs:[00000030h] 3_2_018EE8C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_019908C0 mov eax, dword ptr fs:[00000030h] 3_2_019908C0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC8F9 mov eax, dword ptr fs:[00000030h] 3_2_018FC8F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FC8F9 mov eax, dword ptr fs:[00000030h] 3_2_018FC8F9
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198A8E4 mov eax, dword ptr fs:[00000030h] 3_2_0198A8E4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194C810 mov eax, dword ptr fs:[00000030h] 3_2_0194C810
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196483A mov eax, dword ptr fs:[00000030h] 3_2_0196483A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196483A mov eax, dword ptr fs:[00000030h] 3_2_0196483A
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov ecx, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h] 3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FA830 mov eax, dword ptr fs:[00000030h] 3_2_018FA830
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D2840 mov ecx, dword ptr fs:[00000030h] 3_2_018D2840
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4859 mov eax, dword ptr fs:[00000030h] 3_2_018C4859
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C4859 mov eax, dword ptr fs:[00000030h] 3_2_018C4859
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F0854 mov eax, dword ptr fs:[00000030h] 3_2_018F0854
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956870 mov eax, dword ptr fs:[00000030h] 3_2_01956870
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956870 mov eax, dword ptr fs:[00000030h] 3_2_01956870
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194E872 mov eax, dword ptr fs:[00000030h] 3_2_0194E872
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194E872 mov eax, dword ptr fs:[00000030h] 3_2_0194E872
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01974BB0 mov eax, dword ptr fs:[00000030h] 3_2_01974BB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01974BB0 mov eax, dword ptr fs:[00000030h] 3_2_01974BB0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0BBE mov eax, dword ptr fs:[00000030h] 3_2_018D0BBE
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0BBE mov eax, dword ptr fs:[00000030h] 3_2_018D0BBE
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h] 3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h] 3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h] 3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h] 3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h] 3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h] 3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196EBD0 mov eax, dword ptr fs:[00000030h] 3_2_0196EBD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194CBF0 mov eax, dword ptr fs:[00000030h] 3_2_0194CBF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EEBFC mov eax, dword ptr fs:[00000030h] 3_2_018EEBFC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h] 3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h] 3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h] 3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h] 3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994B00 mov eax, dword ptr fs:[00000030h] 3_2_01994B00
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EEB20 mov eax, dword ptr fs:[00000030h] 3_2_018EEB20
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EEB20 mov eax, dword ptr fs:[00000030h] 3_2_018EEB20
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01988B28 mov eax, dword ptr fs:[00000030h] 3_2_01988B28
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01988B28 mov eax, dword ptr fs:[00000030h] 3_2_01988B28
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0196EB50 mov eax, dword ptr fs:[00000030h] 3_2_0196EB50
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h] 3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h] 3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h] 3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h] 3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01968B42 mov eax, dword ptr fs:[00000030h] 3_2_01968B42
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956B40 mov eax, dword ptr fs:[00000030h] 3_2_01956B40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01956B40 mov eax, dword ptr fs:[00000030h] 3_2_01956B40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0198AB40 mov eax, dword ptr fs:[00000030h] 3_2_0198AB40
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018B8B50 mov eax, dword ptr fs:[00000030h] 3_2_018B8B50
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01974B4B mov eax, dword ptr fs:[00000030h] 3_2_01974B4B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01974B4B mov eax, dword ptr fs:[00000030h] 3_2_01974B4B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018BCB7E mov eax, dword ptr fs:[00000030h] 3_2_018BCB7E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h] 3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01994A80 mov eax, dword ptr fs:[00000030h] 3_2_01994A80
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F8A90 mov edx, dword ptr fs:[00000030h] 3_2_018F8A90
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8AA0 mov eax, dword ptr fs:[00000030h] 3_2_018C8AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C8AA0 mov eax, dword ptr fs:[00000030h] 3_2_018C8AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01916AA4 mov eax, dword ptr fs:[00000030h] 3_2_01916AA4
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C0AD0 mov eax, dword ptr fs:[00000030h] 3_2_018C0AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h] 3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h] 3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h] 3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F4AD0 mov eax, dword ptr fs:[00000030h] 3_2_018F4AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018F4AD0 mov eax, dword ptr fs:[00000030h] 3_2_018F4AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FAAEE mov eax, dword ptr fs:[00000030h] 3_2_018FAAEE
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FAAEE mov eax, dword ptr fs:[00000030h] 3_2_018FAAEE
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_0194CA11 mov eax, dword ptr fs:[00000030h] 3_2_0194CA11
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018EEA2E mov eax, dword ptr fs:[00000030h] 3_2_018EEA2E
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FCA24 mov eax, dword ptr fs:[00000030h] 3_2_018FCA24
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018FCA38 mov eax, dword ptr fs:[00000030h] 3_2_018FCA38
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E4A35 mov eax, dword ptr fs:[00000030h] 3_2_018E4A35
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018E4A35 mov eax, dword ptr fs:[00000030h] 3_2_018E4A35
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0A5B mov eax, dword ptr fs:[00000030h] 3_2_018D0A5B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018D0A5B mov eax, dword ptr fs:[00000030h] 3_2_018D0A5B
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C6A50 mov eax, dword ptr fs:[00000030h] 3_2_018C6A50
Source: C:\Users\user\Desktop\DOC_PDF.exe Code function: 3_2_018C6A50 mov eax, dword ptr fs:[00000030h] 3_2_018C6A50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 5_2_002B602D
Enables debug privileges
Source: C:\Users\user\Desktop\DOC_PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002D0C80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_002D0C80
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\DOC_PDF.exe NtQueueApcThread: Indirect: 0x187A4F2 Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe NtClose: Indirect: 0x187A56C
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DOC_PDF.exe Memory written: C:\Users\user\Desktop\DOC_PDF.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DOC_PDF.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DOC_PDF.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DOC_PDF.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 280000 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002A2710 memset,GetModuleFileNameW,GetLastError,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError, 5_2_002A2710
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DOC_PDF.exe Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe" Jump to behavior
Source: explorer.exe, 00000004.00000003.3828353043.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.4506324559.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.2043320694.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502583953.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Users\user\Desktop\DOC_PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B7E50 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree, 5_2_002B7E50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_002B7A8E GetSystemTime, 5_2_002B7A8E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00294764 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree, 5_2_00294764
Source: C:\Users\user\Desktop\DOC_PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519409 Sample: DOC_PDF.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 29 www.utebolshirts.shop 2->29 31 www.rojectleadzone.website 2->31 33 9 other IPs or domains 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 11 DOC_PDF.exe 3 2->11         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\DOC_PDF.exe.log, ASCII 11->27 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 53 Switches to a custom stack to bypass stack traces 11->53 15 DOC_PDF.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 2 other signatures 15->61 18 explorer.exe 98 7 15->18 injected process9 process10 20 msdt.exe 18->20         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.awlc7038.vip unknown unknown
www.48827496.top unknown unknown
www.olf-cart-82894.bond unknown unknown
www.ewancash.boats unknown unknown
www.aemoruhagic.click unknown unknown
www.rojectleadzone.website unknown unknown
www.bykmr.shop unknown unknown
www.utebolshirts.shop unknown unknown
www.hegdg.net unknown unknown
www.hewieandfriends.info unknown unknown
www.igh-class-jewelry.info unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.awlc7038.vip/b31a/ true
  • Avira URL Cloud: safe
 unknown