Windows Analysis Report
DOC_PDF.exe

AI detected suspicious sample

Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DOC_PDF.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002BAFB8 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,

5_2_002BAFB8

Source: DOC_PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DOC_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msdt.pdbGCTL source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DOC_PDF.exe, DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mJGu.pdb source: DOC_PDF.exe
Source:	Binary string: mJGu.pdbSHA256 source: DOC_PDF.exe
Source:	Binary string: msdt.pdb source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	5_2_002B602D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002C60A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B1B92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002B5C20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002C743A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B4CB6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B4EDC

Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 4x nop then jmp 08358EFBh	0_2_08358D68
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 4x nop then pop edi	3_2_00416C96
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	5_2_02E86C96

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.awlc7038.vip/b31a/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.awlc7038.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.rojectleadzone.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hegdg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ewancash.boats replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.48827496.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bykmr.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.igh-class-jewelry.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hewieandfriends.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aemoruhagic.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.utebolshirts.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.olf-cart-82894.bond replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.awlc7038.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.rojectleadzone.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hegdg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ewancash.boats replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.48827496.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bykmr.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.igh-class-jewelry.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hewieandfriends.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aemoruhagic.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.utebolshirts.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.olf-cart-82894.bond replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.awlc7038.vip
Source: global traffic	DNS traffic detected: DNS query: www.rojectleadzone.website
Source: global traffic	DNS traffic detected: DNS query: www.olf-cart-82894.bond
Source: global traffic	DNS traffic detected: DNS query: www.hewieandfriends.info
Source: global traffic	DNS traffic detected: DNS query: www.ewancash.boats
Source: global traffic	DNS traffic detected: DNS query: www.igh-class-jewelry.info
Source: global traffic	DNS traffic detected: DNS query: www.48827496.top
Source: global traffic	DNS traffic detected: DNS query: www.bykmr.shop
Source: global traffic	DNS traffic detected: DNS query: www.utebolshirts.shop
Source: global traffic	DNS traffic detected: DNS query: www.hegdg.net
Source: global traffic	DNS traffic detected: DNS query: www.aemoruhagic.click

Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000000.2043320694.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.2057955900.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508804572.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2057404332.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.-web-p102.buzz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.-web-p102.buzz/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.-web-p102.buzz/b31a/www.indjuvedermdoctorsnearby.today
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.-web-p102.buzzReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2239d3.christmas
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2239d3.christmas/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2239d3.christmas/b31a/h
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2239d3.christmasReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48827496.top
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48827496.top/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48827496.top/b31a/www.bykmr.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48827496.topReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aemoruhagic.click
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aemoruhagic.click/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aemoruhagic.click/b31a/www.-web-p102.buzz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aemoruhagic.clickReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashforhouse19.online
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashforhouse19.online/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashforhouse19.online/b31a/www.2239d3.christmas
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ashforhouse19.onlineReferer:
Source: explorer.exe, 00000004.00000003.3825649798.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102191852.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062761599.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.E
Source: explorer.exe, 00000004.00000000.2062761599.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awlc7038.vip
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awlc7038.vip/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awlc7038.vip/b31a/www.rojectleadzone.website
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awlc7038.vipReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bykmr.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bykmr.shop/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bykmr.shop/b31a/www.utebolshirts.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bykmr.shopReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ewancash.boats
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ewancash.boats/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ewancash.boats/b31a/www.igh-class-jewelry.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ewancash.boatsReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hegdg.net
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hegdg.net/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hegdg.net/b31a/www.aemoruhagic.click
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hegdg.netReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hewieandfriends.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hewieandfriends.info/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hewieandfriends.info/b31a/www.ewancash.boats
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hewieandfriends.infoReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igh-class-jewelry.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igh-class-jewelry.info/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igh-class-jewelry.info/b31a/www.48827496.top
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igh-class-jewelry.infoReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.indjuvedermdoctorsnearby.today
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.indjuvedermdoctorsnearby.today/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.indjuvedermdoctorsnearby.today/b31a/www.ashforhouse19.online
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.indjuvedermdoctorsnearby.todayReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olf-cart-82894.bond
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olf-cart-82894.bond/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olf-cart-82894.bond/b31a/www.hewieandfriends.info
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olf-cart-82894.bondReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz/b31a/www.hegdg.net
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyzReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rojectleadzone.website
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rojectleadzone.website/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rojectleadzone.website/b31a/www.olf-cart-82894.bond
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rojectleadzone.websiteReferer:
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utebolshirts.shop
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utebolshirts.shop/b31a/
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utebolshirts.shop/b31a/www.resdai.xyz
Source: explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utebolshirts.shopReferer:
Source: explorer.exe, 00000004.00000002.4516483645.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000003.3827896321.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4506643376.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4510666183.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.4506643376.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056628232.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.3097162439.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2044254492.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4504765400.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000004.00000003.3828353043.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513550393.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000002.4516483645.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002B2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

5_2_002B2361

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002B2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

5_2_002B2361

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4519710590.0000000010520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: DOC_PDF.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 4320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DOC_PDF.exe

Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041A320 NtCreateFile,	3_2_0041A320
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041A3D0 NtReadFile,	3_2_0041A3D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041A450 NtClose,	3_2_0041A450
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041A500 NtAllocateVirtualMemory,	3_2_0041A500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041A44A NtReadFile,NtClose,	3_2_0041A44A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01902BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902B60 NtClose,LdrInitializeThunk,	3_2_01902B60
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902AD0 NtReadFile,LdrInitializeThunk,	3_2_01902AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902DD0 NtDelayExecution,LdrInitializeThunk,	3_2_01902DD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01902DF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_01902D10
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_01902D30
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_01902CA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01902C70
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01902F90
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902FB0 NtResumeThread,LdrInitializeThunk,	3_2_01902FB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902FE0 NtCreateFile,LdrInitializeThunk,	3_2_01902FE0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902F30 NtCreateSection,LdrInitializeThunk,	3_2_01902F30
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_01902E80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01902EA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01904340 NtSetContextThread,	3_2_01904340
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01904650 NtSuspendThread,	3_2_01904650
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902B80 NtQueryInformationFile,	3_2_01902B80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902BA0 NtEnumerateValueKey,	3_2_01902BA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902BE0 NtQueryValueKey,	3_2_01902BE0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902AB0 NtWaitForSingleObject,	3_2_01902AB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902AF0 NtWriteFile,	3_2_01902AF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902DB0 NtEnumerateKey,	3_2_01902DB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902D00 NtSetInformationFile,	3_2_01902D00
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902CC0 NtQueryVirtualMemory,	3_2_01902CC0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902CF0 NtOpenProcess,	3_2_01902CF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902C00 NtQueryInformationProcess,	3_2_01902C00
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902C60 NtCreateKey,	3_2_01902C60
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902FA0 NtQuerySection,	3_2_01902FA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902F60 NtCreateProcessEx,	3_2_01902F60
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902EE0 NtQueueApcThread,	3_2_01902EE0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902E30 NtWriteVirtualMemory,	3_2_01902E30
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01903090 NtSetValueKey,	3_2_01903090
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01903010 NtOpenDirectoryObject,	3_2_01903010
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019035C0 NtCreateMutant,	3_2_019035C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019039B0 NtGetContextThread,	3_2_019039B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01903D10 NtOpenProcessToken,	3_2_01903D10
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01903D70 NtOpenThread,	3_2_01903D70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C1C50 NtQueryInformationToken,NtQueryInformationToken,	5_2_002C1C50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C1CBD NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,	5_2_002C1CBD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051035C0 NtCreateMutant,LdrInitializeThunk,	5_2_051035C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_05102D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102DD0 NtDelayExecution,LdrInitializeThunk,	5_2_05102DD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05102DF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05102C70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102C60 NtCreateKey,LdrInitializeThunk,	5_2_05102C60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_05102CA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102F30 NtCreateSection,LdrInitializeThunk,	5_2_05102F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102FE0 NtCreateFile,LdrInitializeThunk,	5_2_05102FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_05102EA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102B60 NtClose,LdrInitializeThunk,	5_2_05102B60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05102BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_05102BE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102AD0 NtReadFile,LdrInitializeThunk,	5_2_05102AD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05104650 NtSuspendThread,	5_2_05104650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05103010 NtOpenDirectoryObject,	5_2_05103010
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05103090 NtSetValueKey,	5_2_05103090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05104340 NtSetContextThread,	5_2_05104340
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05103D10 NtOpenProcessToken,	5_2_05103D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102D00 NtSetInformationFile,	5_2_05102D00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102D30 NtUnmapViewOfSection,	5_2_05102D30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05103D70 NtOpenThread,	5_2_05103D70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102DB0 NtEnumerateKey,	5_2_05102DB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102C00 NtQueryInformationProcess,	5_2_05102C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102CC0 NtQueryVirtualMemory,	5_2_05102CC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102CF0 NtOpenProcess,	5_2_05102CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102F60 NtCreateProcessEx,	5_2_05102F60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102F90 NtProtectVirtualMemory,	5_2_05102F90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102FB0 NtResumeThread,	5_2_05102FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102FA0 NtQuerySection,	5_2_05102FA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102E30 NtWriteVirtualMemory,	5_2_05102E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102E80 NtReadVirtualMemory,	5_2_05102E80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102EE0 NtQueueApcThread,	5_2_05102EE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051039B0 NtGetContextThread,	5_2_051039B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102B80 NtQueryInformationFile,	5_2_05102B80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102BA0 NtEnumerateValueKey,	5_2_05102BA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102AB0 NtWaitForSingleObject,	5_2_05102AB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05102AF0 NtWriteFile,	5_2_05102AF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8A3D0 NtReadFile,	5_2_02E8A3D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8A320 NtCreateFile,	5_2_02E8A320
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8A450 NtClose,	5_2_02E8A450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8A500 NtAllocateVirtualMemory,	5_2_02E8A500
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8A44A NtReadFile,NtClose,	5_2_02E8A44A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DDA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_04DDA036
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_04DD9BAF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DDA042 NtQueryInformationProcess,	5_2_04DDA042
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_04DD9BB2

Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_0173DEEC	0_2_0173DEEC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_033B0006	0_2_033B0006
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_033B0040	0_2_033B0040
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08350040	0_2_08350040
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08358D68	0_2_08358D68
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08350006	0_2_08350006
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08354A08	0_2_08354A08
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08356A78	0_2_08356A78
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08355278	0_2_08355278
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08356A67	0_2_08356A67
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08355269	0_2_08355269
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_0835BA88	0_2_0835BA88
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08358470	0_2_08358470
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08358D58	0_2_08358D58
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_083545D0	0_2_083545D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_08354E31	0_2_08354E31
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D94E	3_2_0041D94E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00401174	3_2_00401174
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00401208	3_2_00401208
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041EB49	3_2_0041EB49
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D563	3_2_0041D563
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00409E4B	3_2_00409E4B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00409E50	3_2_00409E50
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019901AA	3_2_019901AA
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019841A2	3_2_019841A2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019881CC	3_2_019881CC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0100	3_2_018C0100
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196A118	3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01958158	3_2_01958158
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE3F0	3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019903E6	3_2_019903E6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198A352	3_2_0198A352
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019502C0	3_2_019502C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01990591	3_2_01990591
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197E4F6	3_2_0197E4F6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01974420	3_2_01974420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01982446	3_2_01982446
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CC7C0	3_2_018CC7C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F4750	3_2_018F4750
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EC6E0	3_2_018EC6E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0199A9A6	3_2_0199A9A6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E6962	3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B68B8	3_2_018B68B8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE8F0	3_2_018FE8F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D2840	3_2_018D2840
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DA840	3_2_018DA840
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01986BD7	3_2_01986BD7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198AB40	3_2_0198AB40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E8DBF	3_2_018E8DBF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CADE0	3_2_018CADE0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196CD1F	3_2_0196CD1F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DAD00	3_2_018DAD00
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970CB5	3_2_01970CB5
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0CF2	3_2_018C0CF2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0C00	3_2_018D0C00
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194EFA0	3_2_0194EFA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C2FC8	3_2_018C2FC8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DCFE0	3_2_018DCFE0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01972F30	3_2_01972F30
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01912F28	3_2_01912F28
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F0F30	3_2_018F0F30
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01944F40	3_2_01944F40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198CE93	3_2_0198CE93
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2E90	3_2_018E2E90
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198EEDB	3_2_0198EEDB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198EE26	3_2_0198EE26
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0E59	3_2_018D0E59
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DB1B0	3_2_018DB1B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0199B16B	3_2_0199B16B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BF172	3_2_018BF172
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0190516C	3_2_0190516C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D70C0	3_2_018D70C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197F0CC	3_2_0197F0CC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019870E9	3_2_019870E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198F0E0	3_2_0198F0E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0191739A	3_2_0191739A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198132D	3_2_0198132D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BD34C	3_2_018BD34C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D52A0	3_2_018D52A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EB2C0	3_2_018EB2C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019712ED	3_2_019712ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196D5B0	3_2_0196D5B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019995C3	3_2_019995C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01987571	3_2_01987571
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198F43F	3_2_0198F43F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C1460	3_2_018C1460
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198F7B0	3_2_0198F7B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019816CC	3_2_019816CC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01915630	3_2_01915630
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01965910	3_2_01965910
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D9950	3_2_018D9950
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EB950	3_2_018EB950
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D38E0	3_2_018D38E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193D800	3_2_0193D800
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EFB80	3_2_018EFB80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01945BF0	3_2_01945BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0190DBF9	3_2_0190DBF9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198FB76	3_2_0198FB76
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01915AA0	3_2_01915AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01971AA3	3_2_01971AA3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196DAAC	3_2_0196DAAC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197DAC6	3_2_0197DAC6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198FA49	3_2_0198FA49
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01987A46	3_2_01987A46
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01943A6C	3_2_01943A6C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EFDC0	3_2_018EFDC0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01981D5A	3_2_01981D5A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D3D40	3_2_018D3D40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01987D73	3_2_01987D73
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198FCF2	3_2_0198FCF2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01949C32	3_2_01949C32
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D1F92	3_2_018D1F92
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198FFB1	3_2_0198FFB1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01893FD2	3_2_01893FD2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01893FD5	3_2_01893FD5
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198FF09	3_2_0198FF09
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D9EB0	3_2_018D9EB0
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7C232	4_2_0EF7C232
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF76B32	4_2_0EF76B32
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF76B30	4_2_0EF76B30
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF72082	4_2_0EF72082
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7B036	4_2_0EF7B036
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7F5CD	4_2_0EF7F5CD
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF79912	4_2_0EF79912
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF73D02	4_2_0EF73D02
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002CC803	5_2_002CC803
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002AF0DB	5_2_002AF0DB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002A5950	5_2_002A5950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002BFCE7	5_2_002BFCE7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B4702	5_2_002B4702
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C2FD3	5_2_002C2FD3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D0535	5_2_050D0535
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05187571	5_2_05187571
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05190591	5_2_05190591
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0516D5B0	5_2_0516D5B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518F43F	5_2_0518F43F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05182446	5_2_05182446
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050C1460	5_2_050C1460
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0517E4F6	5_2_0517E4F6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050F4750	5_2_050F4750
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D0770	5_2_050D0770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518F7B0	5_2_0518F7B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050CC7C0	5_2_050CC7C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051816CC	5_2_051816CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050EC6E0	5_2_050EC6E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050C0100	5_2_050C0100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0516A118	5_2_0516A118
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05158158	5_2_05158158
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0519B16B	5_2_0519B16B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050BF172	5_2_050BF172
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0510516C	5_2_0510516C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051901AA	5_2_051901AA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050DB1B0	5_2_050DB1B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051881CC	5_2_051881CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D70C0	5_2_050D70C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0517F0CC	5_2_0517F0CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051870E9	5_2_051870E9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518F0E0	5_2_0518F0E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518132D	5_2_0518132D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050BD34C	5_2_050BD34C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518A352	5_2_0518A352
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0511739A	5_2_0511739A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050DE3F0	5_2_050DE3F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051903E6	5_2_051903E6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05170274	5_2_05170274
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D52A0	5_2_050D52A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050EB2C0	5_2_050EB2C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051502C0	5_2_051502C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_051712ED	5_2_051712ED
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050DAD00	5_2_050DAD00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05181D5A	5_2_05181D5A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D3D40	5_2_050D3D40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05187D73	5_2_05187D73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050E8DBF	5_2_050E8DBF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050EFDC0	5_2_050EFDC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050CADE0	5_2_050CADE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D0C00	5_2_050D0C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05149C32	5_2_05149C32
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05170CB5	5_2_05170CB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518FCF2	5_2_0518FCF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050C0CF2	5_2_050C0CF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518FF09	5_2_0518FF09
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05112F28	5_2_05112F28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050F0F30	5_2_050F0F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05144F40	5_2_05144F40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D1F92	5_2_050D1F92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518FFB1	5_2_0518FFB1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0514EFA0	5_2_0514EFA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050C2FC8	5_2_050C2FC8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05093FD2	5_2_05093FD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05093FD5	5_2_05093FD5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050DCFE0	5_2_050DCFE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518EE26	5_2_0518EE26
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D0E59	5_2_050D0E59
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518CE93	5_2_0518CE93
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050E2E90	5_2_050E2E90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D9EB0	5_2_050D9EB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518EEDB	5_2_0518EEDB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D9950	5_2_050D9950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050EB950	5_2_050EB950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050E6962	5_2_050E6962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D29A0	5_2_050D29A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0519A9A6	5_2_0519A9A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0513D800	5_2_0513D800
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D2840	5_2_050D2840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050DA840	5_2_050DA840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050B68B8	5_2_050B68B8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050D38E0	5_2_050D38E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050FE8F0	5_2_050FE8F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518AB40	5_2_0518AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518FB76	5_2_0518FB76
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050EFB80	5_2_050EFB80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05186BD7	5_2_05186BD7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05145BF0	5_2_05145BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0510DBF9	5_2_0510DBF9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0518FA49	5_2_0518FA49
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05187A46	5_2_05187A46
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05143A6C	5_2_05143A6C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_050CEA80	5_2_050CEA80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_05115AA0	5_2_05115AA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0516DAAC	5_2_0516DAAC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0517DAC6	5_2_0517DAC6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E8EB49	5_2_02E8EB49
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E79E4B	5_2_02E79E4B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E79E50	5_2_02E79E50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E72FB0	5_2_02E72FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02E72D90	5_2_02E72D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DDA036	5_2_04DDA036
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DDE5CD	5_2_04DDE5CD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD2D02	5_2_04DD2D02
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD1082	5_2_04DD1082
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD8912	5_2_04DD8912
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DDB232	5_2_04DDB232
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD5B30	5_2_04DD5B30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04DD5B32	5_2_04DD5B32

Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 002CE523 appears 31 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 05117E54 appears 96 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 002919DB appears 34 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 05105130 appears 36 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 050BB970 appears 272 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0513EA12 appears 86 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 002999E8 appears 891 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0514F290 appears 105 times
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: String function: 018BB970 appears 280 times
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: String function: 0194F290 appears 105 times
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: String function: 01917E54 appears 111 times
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: String function: 0193EA12 appears 86 times
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: String function: 01905130 appears 58 times

Source: DOC_PDF.exe, 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000000.00000000.2031155338.0000000000F68000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemJGu.exe> vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000000.00000002.2065517443.00000000082B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs DOC_PDF.exe
Source: DOC_PDF.exe, 00000003.00000002.2102921676.00000000019BD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DOC_PDF.exe
Source: DOC_PDF.exe	Binary or memory string: OriginalFilenamemJGu.exe> vs DOC_PDF.exe

Source: DOC_PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4519710590.0000000010520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: DOC_PDF.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 4320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: DOC_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kaGBmd7IL3A7gie4gL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kaGBmd7IL3A7gie4gL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@11/0

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002C2826 VariantInit,CoCreateInstance,SysFreeString,SysStringLen,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetLastError,VariantClear,CreateStreamOnHGlobal,VariantClear,GetProcessHeap,HeapFree,SysFreeString,

5_2_002C2826

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002C1DB3 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree,

5_2_002C1DB3

Source: C:\Users\user\Desktop\DOC_PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOC_PDF.exe.log

Source: C:\Users\user\Desktop\DOC_PDF.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\DOC_PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\quRFdtlEfmViPotvOfS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03

Source: DOC_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DOC_PDF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\DOC_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: DOC_PDF.exe

ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior

Source: C:\Users\user\Desktop\DOC_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\DOC_PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: DOC_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DOC_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DOC_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msdt.pdbGCTL source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DOC_PDF.exe, DOC_PDF.exe, 00000003.00000002.2102921676.0000000001890000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000003.2106101852.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.0000000005090000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000002.4503940124.000000000522E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000005.00000003.2102931452.0000000004D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mJGu.pdb source: DOC_PDF.exe
Source:	Binary string: mJGu.pdbSHA256 source: DOC_PDF.exe
Source:	Binary string: msdt.pdb source: DOC_PDF.exe, 00000003.00000002.2104291686.0000000001D30000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000005.00000002.4502325563.0000000000280000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Source: DOC_PDF.exe, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs	.Net Code: nOS8QND6g2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs	.Net Code: nOS8QND6g2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 4.2.explorer.exe.10aff840.0.raw.unpack, MainForm.cs	.Net Code: InitializeComponent
Source: 5.2.msdt.exe.55df840.3.raw.unpack, MainForm.cs	.Net Code: InitializeComponent

Source: DOC_PDF.exe

Static PE information: 0xCCFF9492 [Mon Dec 26 17:36:18 2078 UTC]

Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 0_2_033BEB08 pushfd ; iretd	0_2_033BEB09
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041E03F push F69B27B4h; ret	3_2_0041E044
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004169E1 push cs; ret	3_2_00416A1B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_00416996 push cs; ret	3_2_00416A1B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004179BE push esp; ret	3_2_004179C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041645D push 22047084h; ret	3_2_00416462
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D475 push eax; ret	3_2_0041D4C8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D4C2 push eax; ret	3_2_0041D4C8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D4CB push eax; ret	3_2_0041D532
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041D52C push eax; ret	3_2_0041D532
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004035C8 push esi; iretd	3_2_004035CF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004175A0 pushfd ; iretd	3_2_004175B5
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0041DE4A push ebp; iretd	3_2_0041DE52
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004176EF push cs; ret	3_2_004176D4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_004176A1 push cs; ret	3_2_004176D4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0189225F pushad ; ret	3_2_018927F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018927FA pushad ; ret	3_2_018927F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C09AD push ecx; mov dword ptr [esp], ecx	3_2_018C09B6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0189283D push eax; iretd	3_2_01892858
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01891200 push eax; iretd	3_2_01891369
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7FB1E push esp; retn 0000h	4_2_0EF7FB1F
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7FB02 push esp; retn 0000h	4_2_0EF7FB03
Source: C:\Windows\explorer.exe	Code function: 4_2_0EF7F9B5 push esp; retn 0000h	4_2_0EF7FAE7
Source: C:\Windows\explorer.exe	Code function: 4_2_10403873 push eax; ret	4_2_10403874
Source: C:\Windows\explorer.exe	Code function: 4_2_10401E74 push ecx; iretd	4_2_10401E76
Source: C:\Windows\explorer.exe	Code function: 4_2_10401C10 push edi; ret	4_2_10401C2B
Source: C:\Windows\explorer.exe	Code function: 4_2_1040322C push edi; retf	4_2_104032AF
Source: C:\Windows\explorer.exe	Code function: 4_2_10403288 push edi; retf	4_2_104032AF
Source: C:\Windows\explorer.exe	Code function: 4_2_10402E94 push ebx; iretd	4_2_10402F30
Source: C:\Windows\explorer.exe	Code function: 4_2_10403346 push esi; retf	4_2_1040334F
Source: C:\Windows\explorer.exe	Code function: 4_2_10401D48 push 90F076E7h; ret	4_2_10401D4D

Source: DOC_PDF.exe

Static PE information: section name: .text entropy: 7.806630339806879

Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.34698e4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kaGBmd7IL3A7gie4gL.cs	High entropy of concatenated method names: 'TshlAjPJZL', 'j76lE2RSAa', 'eIMl1XYK80', 'Fd4lNyhLyG', 'wAUlmG9fX2', 'pPElj6AcSC', 'Y5Ylw0Wtyu', 'uKjlYEWN24', 'kLFlJWw8t9', 'ATXlaECreM'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, qvUpK54jLa4D0hOo8U.cs	High entropy of concatenated method names: 'e3vBXHLhG2', 'w0cBHQfGWy', 'TpjBlvWHH9', 'AjgBRVEYuF', 'VuOBclPojZ', 'ytDBCXcePX', 'nrhBO8Ks68', 'nA2B4wDg8Y', 'lyOBho3X1n', 'VFaBfUIfsD'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, ja0FrxTKZaBXr6wtsN.cs	High entropy of concatenated method names: 'CatOH9nCgp', 'dPROR5TW6W', 'u2COCEFQNH', 'QqoCamf6I8', 'm5oCzA6a2K', 'yHyOkajt58', 'Lj3OqQ1lJv', 'Ik0O6YEeGi', 'YxVOBOg1Yo', 'JCkO8mIlEL'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, QCtMcHNdkjLmfehFJJ.cs	High entropy of concatenated method names: 'LxUiftudFk', 'Uwui5STqaE', 'ToString', 'wSHiHHxApx', 'JZvil9Lr4K', 'pcMiR3CtIY', 'nDxic5fSo2', 'fIZiCSEmQD', 'wjEiOH2ZwF', 'rydi4W70NF'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, MITUhauvnfmoykYTqq.cs	High entropy of concatenated method names: 'hWnO9tR90Z', 'RPlOg7Voll', 'J9jOQPsWsn', 'T23OtqHiVh', 'zIuOdy1osa', 'phdOvddFVE', 'P8FO0nHDu7', 'bEcO7i7q7G', 'LLVOMUN1jj', 'aQBOGBVTyC'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, jbhZerAV999bCjLvh3.cs	High entropy of concatenated method names: 'w3RnSxZMX5', 'T9inUwcilY', 'g1nnAXwSyP', 'i6QnEAtd6e', 'pyXnWEaM6S', 'YMGnK9711T', 'PD7nD4vgHd', 'UCinVGNKMe', 'fWonrTE6P6', 'GrgnTaXEJA'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, nDVKwsqkqtbqtimbRvH.cs	High entropy of concatenated method names: 'sSfs9dymTW', 'vCnsgwsXcC', 'v8qsQ1k50b', 'C5VstNy2Yv', 'WAosd4ZixB', 'fi6svf6QLU', 'Ccts0tH9qd', 'q2Vs7LHjt7', 'UtosMyQu2T', 'R9RsGDG15n'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, mi2vS06JFYcge8cJoT.cs	High entropy of concatenated method names: 'ijyQtGxoP', 'uSYtDj0yv', 'MSLvDqLnx', 'D5s0GKYi3', 'XOGMWJnxB', 'yyuGEf5Mo', 'SyCbsdWr4WpbHsjmj1', 'zfUAZl5hcdC1RcJBJV', 'UuXPhQTpr', 'wytbM9heC'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, HAFWCwl0wYV1TKc6JB.cs	High entropy of concatenated method names: 'Dispose', 'Ps5qJehSOS', 'T4V6WWT0UJ', 'Ilpggpho9I', 'VSSqabGYCi', 'LNJqzvf3qI', 'ProcessDialogKey', 'UYs6kYnkvU', 'rWf6qBSvcp', 'SeR66Xsw2P'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, kRiFjiqqm6lUi7TpIZ9.cs	High entropy of concatenated method names: 'ToString', 'eMIbBhtbg0', 'idjb8DwYql', 'zAybXfgVfo', 'ge8bHQPAwJ', 'IngblQd15S', 'Q6gbRNcssi', 'EyTbck6T4h', 'l40YXvAO2OtCux7W14Z', 'xDiS9TA1nnTpNBLwbct'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, Sq34kgFFB7d6NqHHEk.cs	High entropy of concatenated method names: 'Mixp7T4cIq', 'L8rpM1upqb', 'QTIpZebKrr', 'zsCpWOKuJd', 'KSNpDCEHAo', 'BQcpVw1bSP', 'scUpT7cJrx', 'wZBpxRubdw', 'vn4pSEjnsi', 'ND1pyb9UbZ'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, NSbGYCYiTNJvf3qImY.cs	High entropy of concatenated method names: 'khwPHJhNnf', 'QxWPlNFEAX', 'SjRPRxjb29', 'aitPcykvf3', 'pyCPCsZfUD', 'ekdPO14mIS', 'OJiP4iMxIm', 'HdSPhkGV1Q', 'abmPffKnHW', 'f47P5mgPgG'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, uvx5IhqBbtBJdXBT7hK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bl4bAUGNvl', 'S3HbE2Js6j', 'G1Xb1PFgEf', 'ARBbNh4dxo', 'JZibmRtShS', 'N0hbjCneJn', 'SM5bwaJ18E'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, FeJObWZn6B0YmoJaZH.cs	High entropy of concatenated method names: 'xmOCXGf5FG', 'UgWClyfWkp', 'BHwCc6lkFI', 'jf3CORu9QE', 'nfxC41hJ71', 'a0Jcmkgssr', 'dZFcjBbHTM', 'DxEcw0OJY5', 'NPMcYgFQoR', 'TumcJnyDaE'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, XSjCJsG9WsDXjdgYs9.cs	High entropy of concatenated method names: 'NwGcdX8s03', 'Jtlc033kFB', 'h7vRKKN01u', 'c0FRDS2AAw', 'DTERVSwtNq', 'zVURrDe8DM', 'yToRTPCb7p', 'RpGRxA1t6j', 'fUpRuXm3Lt', 't8ORSMxOMH'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, GmQJ8Dq67Fj8S6cvP8x.cs	High entropy of concatenated method names: 'I60b9FPtXc', 'Lf6bgiy0Mq', 'UZvbQ0C6q6', 'u5fJj2AtbFwQBGJcXeC', 'JHO1soAaucEYu1v7Od4', 'LJGpQiAHXo2TuJeCodh', 'rVSQtuACZ08U3j52EMQ', 'Dl6kigA0lYk3q3ZOJ6l'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, LS0I0oM0IRdNrt8PB6.cs	High entropy of concatenated method names: 'IbZRtHId8b', 'q1IRvMDyWH', 'sCrR7GLJar', 'gRsRM8rv8w', 'EBGRnSVkWY', 'I77ReeVg1e', 'M3ORiJ5a1l', 'pgTRPlvF1i', 'XSIRs0W2TK', 'pQERbhS9cW'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, rYnkvUJPWfBSvcpEeR.cs	High entropy of concatenated method names: 'YxiPZERhUi', 'PuQPW0TP22', 'N3lPKAZtn4', 'miVPD8dRdO', 'JpRPAVBAbh', 'WlNPVXib1h', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC_PDF.exe.461af80.2.raw.unpack, xw56Ae8FFfYwaKqXtX.cs	High entropy of concatenated method names: 'Vv4qOaGBmd', 'wL3q4A7gie', 'v0IqfRdNrt', 'ePBq56YSjC', 'AgYqns9GeJ', 'jbWqen6B0Y', 'v4idR4zXiNZshdJNAB', 'vpBqOeKNk5ZbQgDOPW8', 'QdGqqvYUmS', 'BpiqB03wkB'
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.76b0000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kaGBmd7IL3A7gie4gL.cs	High entropy of concatenated method names: 'TshlAjPJZL', 'j76lE2RSAa', 'eIMl1XYK80', 'Fd4lNyhLyG', 'wAUlmG9fX2', 'pPElj6AcSC', 'Y5Ylw0Wtyu', 'uKjlYEWN24', 'kLFlJWw8t9', 'ATXlaECreM'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, qvUpK54jLa4D0hOo8U.cs	High entropy of concatenated method names: 'e3vBXHLhG2', 'w0cBHQfGWy', 'TpjBlvWHH9', 'AjgBRVEYuF', 'VuOBclPojZ', 'ytDBCXcePX', 'nrhBO8Ks68', 'nA2B4wDg8Y', 'lyOBho3X1n', 'VFaBfUIfsD'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, ja0FrxTKZaBXr6wtsN.cs	High entropy of concatenated method names: 'CatOH9nCgp', 'dPROR5TW6W', 'u2COCEFQNH', 'QqoCamf6I8', 'm5oCzA6a2K', 'yHyOkajt58', 'Lj3OqQ1lJv', 'Ik0O6YEeGi', 'YxVOBOg1Yo', 'JCkO8mIlEL'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, QCtMcHNdkjLmfehFJJ.cs	High entropy of concatenated method names: 'LxUiftudFk', 'Uwui5STqaE', 'ToString', 'wSHiHHxApx', 'JZvil9Lr4K', 'pcMiR3CtIY', 'nDxic5fSo2', 'fIZiCSEmQD', 'wjEiOH2ZwF', 'rydi4W70NF'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, MITUhauvnfmoykYTqq.cs	High entropy of concatenated method names: 'hWnO9tR90Z', 'RPlOg7Voll', 'J9jOQPsWsn', 'T23OtqHiVh', 'zIuOdy1osa', 'phdOvddFVE', 'P8FO0nHDu7', 'bEcO7i7q7G', 'LLVOMUN1jj', 'aQBOGBVTyC'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, jbhZerAV999bCjLvh3.cs	High entropy of concatenated method names: 'w3RnSxZMX5', 'T9inUwcilY', 'g1nnAXwSyP', 'i6QnEAtd6e', 'pyXnWEaM6S', 'YMGnK9711T', 'PD7nD4vgHd', 'UCinVGNKMe', 'fWonrTE6P6', 'GrgnTaXEJA'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, nDVKwsqkqtbqtimbRvH.cs	High entropy of concatenated method names: 'sSfs9dymTW', 'vCnsgwsXcC', 'v8qsQ1k50b', 'C5VstNy2Yv', 'WAosd4ZixB', 'fi6svf6QLU', 'Ccts0tH9qd', 'q2Vs7LHjt7', 'UtosMyQu2T', 'R9RsGDG15n'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, mi2vS06JFYcge8cJoT.cs	High entropy of concatenated method names: 'ijyQtGxoP', 'uSYtDj0yv', 'MSLvDqLnx', 'D5s0GKYi3', 'XOGMWJnxB', 'yyuGEf5Mo', 'SyCbsdWr4WpbHsjmj1', 'zfUAZl5hcdC1RcJBJV', 'UuXPhQTpr', 'wytbM9heC'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, HAFWCwl0wYV1TKc6JB.cs	High entropy of concatenated method names: 'Dispose', 'Ps5qJehSOS', 'T4V6WWT0UJ', 'Ilpggpho9I', 'VSSqabGYCi', 'LNJqzvf3qI', 'ProcessDialogKey', 'UYs6kYnkvU', 'rWf6qBSvcp', 'SeR66Xsw2P'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, kRiFjiqqm6lUi7TpIZ9.cs	High entropy of concatenated method names: 'ToString', 'eMIbBhtbg0', 'idjb8DwYql', 'zAybXfgVfo', 'ge8bHQPAwJ', 'IngblQd15S', 'Q6gbRNcssi', 'EyTbck6T4h', 'l40YXvAO2OtCux7W14Z', 'xDiS9TA1nnTpNBLwbct'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, Sq34kgFFB7d6NqHHEk.cs	High entropy of concatenated method names: 'Mixp7T4cIq', 'L8rpM1upqb', 'QTIpZebKrr', 'zsCpWOKuJd', 'KSNpDCEHAo', 'BQcpVw1bSP', 'scUpT7cJrx', 'wZBpxRubdw', 'vn4pSEjnsi', 'ND1pyb9UbZ'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, NSbGYCYiTNJvf3qImY.cs	High entropy of concatenated method names: 'khwPHJhNnf', 'QxWPlNFEAX', 'SjRPRxjb29', 'aitPcykvf3', 'pyCPCsZfUD', 'ekdPO14mIS', 'OJiP4iMxIm', 'HdSPhkGV1Q', 'abmPffKnHW', 'f47P5mgPgG'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, uvx5IhqBbtBJdXBT7hK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bl4bAUGNvl', 'S3HbE2Js6j', 'G1Xb1PFgEf', 'ARBbNh4dxo', 'JZibmRtShS', 'N0hbjCneJn', 'SM5bwaJ18E'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, FeJObWZn6B0YmoJaZH.cs	High entropy of concatenated method names: 'xmOCXGf5FG', 'UgWClyfWkp', 'BHwCc6lkFI', 'jf3CORu9QE', 'nfxC41hJ71', 'a0Jcmkgssr', 'dZFcjBbHTM', 'DxEcw0OJY5', 'NPMcYgFQoR', 'TumcJnyDaE'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, XSjCJsG9WsDXjdgYs9.cs	High entropy of concatenated method names: 'NwGcdX8s03', 'Jtlc033kFB', 'h7vRKKN01u', 'c0FRDS2AAw', 'DTERVSwtNq', 'zVURrDe8DM', 'yToRTPCb7p', 'RpGRxA1t6j', 'fUpRuXm3Lt', 't8ORSMxOMH'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, GmQJ8Dq67Fj8S6cvP8x.cs	High entropy of concatenated method names: 'I60b9FPtXc', 'Lf6bgiy0Mq', 'UZvbQ0C6q6', 'u5fJj2AtbFwQBGJcXeC', 'JHO1soAaucEYu1v7Od4', 'LJGpQiAHXo2TuJeCodh', 'rVSQtuACZ08U3j52EMQ', 'Dl6kigA0lYk3q3ZOJ6l'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, LS0I0oM0IRdNrt8PB6.cs	High entropy of concatenated method names: 'IbZRtHId8b', 'q1IRvMDyWH', 'sCrR7GLJar', 'gRsRM8rv8w', 'EBGRnSVkWY', 'I77ReeVg1e', 'M3ORiJ5a1l', 'pgTRPlvF1i', 'XSIRs0W2TK', 'pQERbhS9cW'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, rYnkvUJPWfBSvcpEeR.cs	High entropy of concatenated method names: 'YxiPZERhUi', 'PuQPW0TP22', 'N3lPKAZtn4', 'miVPD8dRdO', 'JpRPAVBAbh', 'WlNPVXib1h', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC_PDF.exe.82b0000.4.raw.unpack, xw56Ae8FFfYwaKqXtX.cs	High entropy of concatenated method names: 'Vv4qOaGBmd', 'wL3q4A7gie', 'v0IqfRdNrt', 'ePBq56YSjC', 'AgYqns9GeJ', 'jbWqen6B0Y', 'v4idR4zXiNZshdJNAB', 'vpBqOeKNk5ZbQgDOPW8', 'QdGqqvYUmS', 'BpiqB03wkB'
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.DOC_PDF.exe.345c734.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE1

Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DOC_PDF.exe PID: 6620, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\DOC_PDF.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DOC_PDF.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DOC_PDF.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 2E79904 second address: 2E7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 2E79B6E second address: 2E79B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 84A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 94A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: 9660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Memory allocated: A660000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DOC_PDF.exe

Code function: 3_2_00409AA0 rdtsc

3_2_00409AA0

Source: C:\Users\user\Desktop\DOC_PDF.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9850	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 891	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 5375	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 4596	Jump to behavior

Source: C:\Users\user\Desktop\DOC_PDF.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\msdt.exe	API coverage: 0.8 %

Source: C:\Users\user\Desktop\DOC_PDF.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180	Thread sleep count: 9850 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180	Thread sleep time: -19700000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6180	Thread sleep time: -192000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	5_2_002B602D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002C60A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B1B92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002B5C20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002C743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	5_2_002C743A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B4CB6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_002B4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	5_2_002B4EDC

Source: C:\Users\user\Desktop\DOC_PDF.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000004.00000002.4510666183.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000004.00000000.2058647031.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000003.3097162439.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000002.4510666183.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4506643376.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\DOC_PDF.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\DOC_PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DOC_PDF.exe

Code function: 3_2_00409AA0 rdtsc

3_2_00409AA0

Source: C:\Users\user\Desktop\DOC_PDF.exe

Code function: 3_2_0040ACE0 LdrLoadDll,

3_2_0040ACE0

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002A0FA2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

5_2_002A0FA2

Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h]	3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h]	3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h]	3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194019F mov eax, dword ptr fs:[00000030h]	3_2_0194019F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01900185 mov eax, dword ptr fs:[00000030h]	3_2_01900185
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01964180 mov eax, dword ptr fs:[00000030h]	3_2_01964180
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01964180 mov eax, dword ptr fs:[00000030h]	3_2_01964180
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h]	3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h]	3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA197 mov eax, dword ptr fs:[00000030h]	3_2_018BA197
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197C188 mov eax, dword ptr fs:[00000030h]	3_2_0197C188
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197C188 mov eax, dword ptr fs:[00000030h]	3_2_0197C188
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E1D0 mov ecx, dword ptr fs:[00000030h]	3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0193E1D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019861C3 mov eax, dword ptr fs:[00000030h]	3_2_019861C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019861C3 mov eax, dword ptr fs:[00000030h]	3_2_019861C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F01F8 mov eax, dword ptr fs:[00000030h]	3_2_018F01F8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019961E5 mov eax, dword ptr fs:[00000030h]	3_2_019961E5
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01980115 mov eax, dword ptr fs:[00000030h]	3_2_01980115
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196A118 mov ecx, dword ptr fs:[00000030h]	3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h]	3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h]	3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196A118 mov eax, dword ptr fs:[00000030h]	3_2_0196A118
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov eax, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E10E mov ecx, dword ptr fs:[00000030h]	3_2_0196E10E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F0124 mov eax, dword ptr fs:[00000030h]	3_2_018F0124
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01958158 mov eax, dword ptr fs:[00000030h]	3_2_01958158
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h]	3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h]	3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01954144 mov ecx, dword ptr fs:[00000030h]	3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h]	3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01954144 mov eax, dword ptr fs:[00000030h]	3_2_01954144
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C6154 mov eax, dword ptr fs:[00000030h]	3_2_018C6154
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C6154 mov eax, dword ptr fs:[00000030h]	3_2_018C6154
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BC156 mov eax, dword ptr fs:[00000030h]	3_2_018BC156
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994164 mov eax, dword ptr fs:[00000030h]	3_2_01994164
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994164 mov eax, dword ptr fs:[00000030h]	3_2_01994164
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C208A mov eax, dword ptr fs:[00000030h]	3_2_018C208A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019860B8 mov eax, dword ptr fs:[00000030h]	3_2_019860B8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019860B8 mov ecx, dword ptr fs:[00000030h]	3_2_019860B8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B80A0 mov eax, dword ptr fs:[00000030h]	3_2_018B80A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019580A8 mov eax, dword ptr fs:[00000030h]	3_2_019580A8
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019420DE mov eax, dword ptr fs:[00000030h]	3_2_019420DE
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019020F0 mov ecx, dword ptr fs:[00000030h]	3_2_019020F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C80E9 mov eax, dword ptr fs:[00000030h]	3_2_018C80E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA0E3 mov ecx, dword ptr fs:[00000030h]	3_2_018BA0E3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019460E0 mov eax, dword ptr fs:[00000030h]	3_2_019460E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BC0F0 mov eax, dword ptr fs:[00000030h]	3_2_018BC0F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01944000 mov ecx, dword ptr fs:[00000030h]	3_2_01944000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01962000 mov eax, dword ptr fs:[00000030h]	3_2_01962000
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h]	3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h]	3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h]	3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE016 mov eax, dword ptr fs:[00000030h]	3_2_018DE016
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956030 mov eax, dword ptr fs:[00000030h]	3_2_01956030
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA020 mov eax, dword ptr fs:[00000030h]	3_2_018BA020
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BC020 mov eax, dword ptr fs:[00000030h]	3_2_018BC020
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946050 mov eax, dword ptr fs:[00000030h]	3_2_01946050
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C2050 mov eax, dword ptr fs:[00000030h]	3_2_018C2050
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EC073 mov eax, dword ptr fs:[00000030h]	3_2_018EC073
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E438F mov eax, dword ptr fs:[00000030h]	3_2_018E438F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E438F mov eax, dword ptr fs:[00000030h]	3_2_018E438F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h]	3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h]	3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE388 mov eax, dword ptr fs:[00000030h]	3_2_018BE388
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h]	3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h]	3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8397 mov eax, dword ptr fs:[00000030h]	3_2_018B8397
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019643D4 mov eax, dword ptr fs:[00000030h]	3_2_019643D4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019643D4 mov eax, dword ptr fs:[00000030h]	3_2_019643D4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_018CA3C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h]	3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h]	3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h]	3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C83C0 mov eax, dword ptr fs:[00000030h]	3_2_018C83C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h]	3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h]	3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E3DB mov ecx, dword ptr fs:[00000030h]	3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196E3DB mov eax, dword ptr fs:[00000030h]	3_2_0196E3DB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019463C0 mov eax, dword ptr fs:[00000030h]	3_2_019463C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197C3CD mov eax, dword ptr fs:[00000030h]	3_2_0197C3CD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D03E9 mov eax, dword ptr fs:[00000030h]	3_2_018D03E9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F63FF mov eax, dword ptr fs:[00000030h]	3_2_018F63FF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_018DE3F0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h]	3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h]	3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA30B mov eax, dword ptr fs:[00000030h]	3_2_018FA30B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BC310 mov ecx, dword ptr fs:[00000030h]	3_2_018BC310
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E0310 mov ecx, dword ptr fs:[00000030h]	3_2_018E0310
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h]	3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01998324 mov ecx, dword ptr fs:[00000030h]	3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h]	3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01998324 mov eax, dword ptr fs:[00000030h]	3_2_01998324
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01968350 mov ecx, dword ptr fs:[00000030h]	3_2_01968350
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov ecx, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194035C mov eax, dword ptr fs:[00000030h]	3_2_0194035C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198A352 mov eax, dword ptr fs:[00000030h]	3_2_0198A352
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0199634F mov eax, dword ptr fs:[00000030h]	3_2_0199634F
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01942349 mov eax, dword ptr fs:[00000030h]	3_2_01942349
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196437C mov eax, dword ptr fs:[00000030h]	3_2_0196437C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE284 mov eax, dword ptr fs:[00000030h]	3_2_018FE284
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE284 mov eax, dword ptr fs:[00000030h]	3_2_018FE284
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h]	3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h]	3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01940283 mov eax, dword ptr fs:[00000030h]	3_2_01940283
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D02A0 mov eax, dword ptr fs:[00000030h]	3_2_018D02A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D02A0 mov eax, dword ptr fs:[00000030h]	3_2_018D02A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov ecx, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019562A0 mov eax, dword ptr fs:[00000030h]	3_2_019562A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_018CA2C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019962D6 mov eax, dword ptr fs:[00000030h]	3_2_019962D6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h]	3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h]	3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D02E1 mov eax, dword ptr fs:[00000030h]	3_2_018D02E1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B823B mov eax, dword ptr fs:[00000030h]	3_2_018B823B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0199625D mov eax, dword ptr fs:[00000030h]	3_2_0199625D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197A250 mov eax, dword ptr fs:[00000030h]	3_2_0197A250
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197A250 mov eax, dword ptr fs:[00000030h]	3_2_0197A250
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C6259 mov eax, dword ptr fs:[00000030h]	3_2_018C6259
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01948243 mov eax, dword ptr fs:[00000030h]	3_2_01948243
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01948243 mov ecx, dword ptr fs:[00000030h]	3_2_01948243
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BA250 mov eax, dword ptr fs:[00000030h]	3_2_018BA250
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B826B mov eax, dword ptr fs:[00000030h]	3_2_018B826B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01970274 mov eax, dword ptr fs:[00000030h]	3_2_01970274
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h]	3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h]	3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4260 mov eax, dword ptr fs:[00000030h]	3_2_018C4260
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F4588 mov eax, dword ptr fs:[00000030h]	3_2_018F4588
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C2582 mov eax, dword ptr fs:[00000030h]	3_2_018C2582
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C2582 mov ecx, dword ptr fs:[00000030h]	3_2_018C2582
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE59C mov eax, dword ptr fs:[00000030h]	3_2_018FE59C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h]	3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h]	3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019405A7 mov eax, dword ptr fs:[00000030h]	3_2_019405A7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E45B1 mov eax, dword ptr fs:[00000030h]	3_2_018E45B1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E45B1 mov eax, dword ptr fs:[00000030h]	3_2_018E45B1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE5CF mov eax, dword ptr fs:[00000030h]	3_2_018FE5CF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE5CF mov eax, dword ptr fs:[00000030h]	3_2_018FE5CF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C65D0 mov eax, dword ptr fs:[00000030h]	3_2_018C65D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA5D0 mov eax, dword ptr fs:[00000030h]	3_2_018FA5D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA5D0 mov eax, dword ptr fs:[00000030h]	3_2_018FA5D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC5ED mov eax, dword ptr fs:[00000030h]	3_2_018FC5ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC5ED mov eax, dword ptr fs:[00000030h]	3_2_018FC5ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_018EE5E7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C25E0 mov eax, dword ptr fs:[00000030h]	3_2_018C25E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956500 mov eax, dword ptr fs:[00000030h]	3_2_01956500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994500 mov eax, dword ptr fs:[00000030h]	3_2_01994500
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h]	3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h]	3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h]	3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h]	3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE53E mov eax, dword ptr fs:[00000030h]	3_2_018EE53E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0535 mov eax, dword ptr fs:[00000030h]	3_2_018D0535
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8550 mov eax, dword ptr fs:[00000030h]	3_2_018C8550
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8550 mov eax, dword ptr fs:[00000030h]	3_2_018C8550
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h]	3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h]	3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F656A mov eax, dword ptr fs:[00000030h]	3_2_018F656A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197A49A mov eax, dword ptr fs:[00000030h]	3_2_0197A49A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194A4B0 mov eax, dword ptr fs:[00000030h]	3_2_0194A4B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C64AB mov eax, dword ptr fs:[00000030h]	3_2_018C64AB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F44B0 mov ecx, dword ptr fs:[00000030h]	3_2_018F44B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C04E5 mov ecx, dword ptr fs:[00000030h]	3_2_018C04E5
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h]	3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h]	3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F8402 mov eax, dword ptr fs:[00000030h]	3_2_018F8402
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h]	3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h]	3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BE420 mov eax, dword ptr fs:[00000030h]	3_2_018BE420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BC427 mov eax, dword ptr fs:[00000030h]	3_2_018BC427
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01946420 mov eax, dword ptr fs:[00000030h]	3_2_01946420
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA430 mov eax, dword ptr fs:[00000030h]	3_2_018FA430
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0197A456 mov eax, dword ptr fs:[00000030h]	3_2_0197A456
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FE443 mov eax, dword ptr fs:[00000030h]	3_2_018FE443
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E245A mov eax, dword ptr fs:[00000030h]	3_2_018E245A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B645D mov eax, dword ptr fs:[00000030h]	3_2_018B645D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194C460 mov ecx, dword ptr fs:[00000030h]	3_2_0194C460
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h]	3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h]	3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EA470 mov eax, dword ptr fs:[00000030h]	3_2_018EA470
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196678E mov eax, dword ptr fs:[00000030h]	3_2_0196678E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C07AF mov eax, dword ptr fs:[00000030h]	3_2_018C07AF
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019747A0 mov eax, dword ptr fs:[00000030h]	3_2_019747A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CC7C0 mov eax, dword ptr fs:[00000030h]	3_2_018CC7C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019407C3 mov eax, dword ptr fs:[00000030h]	3_2_019407C3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h]	3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h]	3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E27ED mov eax, dword ptr fs:[00000030h]	3_2_018E27ED
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194E7E1 mov eax, dword ptr fs:[00000030h]	3_2_0194E7E1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C47FB mov eax, dword ptr fs:[00000030h]	3_2_018C47FB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C47FB mov eax, dword ptr fs:[00000030h]	3_2_018C47FB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC700 mov eax, dword ptr fs:[00000030h]	3_2_018FC700
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0710 mov eax, dword ptr fs:[00000030h]	3_2_018C0710
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F0710 mov eax, dword ptr fs:[00000030h]	3_2_018F0710
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193C730 mov eax, dword ptr fs:[00000030h]	3_2_0193C730
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC720 mov eax, dword ptr fs:[00000030h]	3_2_018FC720
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC720 mov eax, dword ptr fs:[00000030h]	3_2_018FC720
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F273C mov eax, dword ptr fs:[00000030h]	3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F273C mov ecx, dword ptr fs:[00000030h]	3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F273C mov eax, dword ptr fs:[00000030h]	3_2_018F273C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902750 mov eax, dword ptr fs:[00000030h]	3_2_01902750
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902750 mov eax, dword ptr fs:[00000030h]	3_2_01902750
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01944755 mov eax, dword ptr fs:[00000030h]	3_2_01944755
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F674D mov esi, dword ptr fs:[00000030h]	3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F674D mov eax, dword ptr fs:[00000030h]	3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F674D mov eax, dword ptr fs:[00000030h]	3_2_018F674D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194E75D mov eax, dword ptr fs:[00000030h]	3_2_0194E75D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0750 mov eax, dword ptr fs:[00000030h]	3_2_018C0750
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8770 mov eax, dword ptr fs:[00000030h]	3_2_018C8770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0770 mov eax, dword ptr fs:[00000030h]	3_2_018D0770
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4690 mov eax, dword ptr fs:[00000030h]	3_2_018C4690
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4690 mov eax, dword ptr fs:[00000030h]	3_2_018C4690
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC6A6 mov eax, dword ptr fs:[00000030h]	3_2_018FC6A6
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F66B0 mov eax, dword ptr fs:[00000030h]	3_2_018F66B0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_018FA6C7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA6C7 mov eax, dword ptr fs:[00000030h]	3_2_018FA6C7
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0193E6F2
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019406F1 mov eax, dword ptr fs:[00000030h]	3_2_019406F1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019406F1 mov eax, dword ptr fs:[00000030h]	3_2_019406F1
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D260B mov eax, dword ptr fs:[00000030h]	3_2_018D260B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01902619 mov eax, dword ptr fs:[00000030h]	3_2_01902619
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E609 mov eax, dword ptr fs:[00000030h]	3_2_0193E609
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C262C mov eax, dword ptr fs:[00000030h]	3_2_018C262C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DE627 mov eax, dword ptr fs:[00000030h]	3_2_018DE627
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F6620 mov eax, dword ptr fs:[00000030h]	3_2_018F6620
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F8620 mov eax, dword ptr fs:[00000030h]	3_2_018F8620
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018DC640 mov eax, dword ptr fs:[00000030h]	3_2_018DC640
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA660 mov eax, dword ptr fs:[00000030h]	3_2_018FA660
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA660 mov eax, dword ptr fs:[00000030h]	3_2_018FA660
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198866E mov eax, dword ptr fs:[00000030h]	3_2_0198866E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198866E mov eax, dword ptr fs:[00000030h]	3_2_0198866E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F2674 mov eax, dword ptr fs:[00000030h]	3_2_018F2674
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C09AD mov eax, dword ptr fs:[00000030h]	3_2_018C09AD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C09AD mov eax, dword ptr fs:[00000030h]	3_2_018C09AD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019489B3 mov esi, dword ptr fs:[00000030h]	3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019489B3 mov eax, dword ptr fs:[00000030h]	3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019489B3 mov eax, dword ptr fs:[00000030h]	3_2_019489B3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D29A0 mov eax, dword ptr fs:[00000030h]	3_2_018D29A0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198A9D3 mov eax, dword ptr fs:[00000030h]	3_2_0198A9D3
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019569C0 mov eax, dword ptr fs:[00000030h]	3_2_019569C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_018CA9D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F49D0 mov eax, dword ptr fs:[00000030h]	3_2_018F49D0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194E9E0 mov eax, dword ptr fs:[00000030h]	3_2_0194E9E0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F29F9 mov eax, dword ptr fs:[00000030h]	3_2_018F29F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F29F9 mov eax, dword ptr fs:[00000030h]	3_2_018F29F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194C912 mov eax, dword ptr fs:[00000030h]	3_2_0194C912
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8918 mov eax, dword ptr fs:[00000030h]	3_2_018B8918
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8918 mov eax, dword ptr fs:[00000030h]	3_2_018B8918
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E908 mov eax, dword ptr fs:[00000030h]	3_2_0193E908
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193E908 mov eax, dword ptr fs:[00000030h]	3_2_0193E908
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194892A mov eax, dword ptr fs:[00000030h]	3_2_0194892A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0195892B mov eax, dword ptr fs:[00000030h]	3_2_0195892B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01940946 mov eax, dword ptr fs:[00000030h]	3_2_01940946
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994940 mov eax, dword ptr fs:[00000030h]	3_2_01994940
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194C97C mov eax, dword ptr fs:[00000030h]	3_2_0194C97C
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h]	3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h]	3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E6962 mov eax, dword ptr fs:[00000030h]	3_2_018E6962
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01964978 mov eax, dword ptr fs:[00000030h]	3_2_01964978
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01964978 mov eax, dword ptr fs:[00000030h]	3_2_01964978
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0190096E mov eax, dword ptr fs:[00000030h]	3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0190096E mov edx, dword ptr fs:[00000030h]	3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0190096E mov eax, dword ptr fs:[00000030h]	3_2_0190096E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194C89D mov eax, dword ptr fs:[00000030h]	3_2_0194C89D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0887 mov eax, dword ptr fs:[00000030h]	3_2_018C0887
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EE8C0 mov eax, dword ptr fs:[00000030h]	3_2_018EE8C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_019908C0 mov eax, dword ptr fs:[00000030h]	3_2_019908C0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC8F9 mov eax, dword ptr fs:[00000030h]	3_2_018FC8F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FC8F9 mov eax, dword ptr fs:[00000030h]	3_2_018FC8F9
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198A8E4 mov eax, dword ptr fs:[00000030h]	3_2_0198A8E4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194C810 mov eax, dword ptr fs:[00000030h]	3_2_0194C810
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196483A mov eax, dword ptr fs:[00000030h]	3_2_0196483A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196483A mov eax, dword ptr fs:[00000030h]	3_2_0196483A
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov ecx, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E2835 mov eax, dword ptr fs:[00000030h]	3_2_018E2835
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FA830 mov eax, dword ptr fs:[00000030h]	3_2_018FA830
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D2840 mov ecx, dword ptr fs:[00000030h]	3_2_018D2840
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4859 mov eax, dword ptr fs:[00000030h]	3_2_018C4859
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C4859 mov eax, dword ptr fs:[00000030h]	3_2_018C4859
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F0854 mov eax, dword ptr fs:[00000030h]	3_2_018F0854
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956870 mov eax, dword ptr fs:[00000030h]	3_2_01956870
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956870 mov eax, dword ptr fs:[00000030h]	3_2_01956870
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194E872 mov eax, dword ptr fs:[00000030h]	3_2_0194E872
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194E872 mov eax, dword ptr fs:[00000030h]	3_2_0194E872
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01974BB0 mov eax, dword ptr fs:[00000030h]	3_2_01974BB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01974BB0 mov eax, dword ptr fs:[00000030h]	3_2_01974BB0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0BBE mov eax, dword ptr fs:[00000030h]	3_2_018D0BBE
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0BBE mov eax, dword ptr fs:[00000030h]	3_2_018D0BBE
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h]	3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h]	3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0BCD mov eax, dword ptr fs:[00000030h]	3_2_018C0BCD
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h]	3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h]	3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E0BCB mov eax, dword ptr fs:[00000030h]	3_2_018E0BCB
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196EBD0 mov eax, dword ptr fs:[00000030h]	3_2_0196EBD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194CBF0 mov eax, dword ptr fs:[00000030h]	3_2_0194CBF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EEBFC mov eax, dword ptr fs:[00000030h]	3_2_018EEBFC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_018C8BF0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0193EB1D mov eax, dword ptr fs:[00000030h]	3_2_0193EB1D
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994B00 mov eax, dword ptr fs:[00000030h]	3_2_01994B00
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EEB20 mov eax, dword ptr fs:[00000030h]	3_2_018EEB20
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EEB20 mov eax, dword ptr fs:[00000030h]	3_2_018EEB20
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01988B28 mov eax, dword ptr fs:[00000030h]	3_2_01988B28
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01988B28 mov eax, dword ptr fs:[00000030h]	3_2_01988B28
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0196EB50 mov eax, dword ptr fs:[00000030h]	3_2_0196EB50
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h]	3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h]	3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h]	3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01992B57 mov eax, dword ptr fs:[00000030h]	3_2_01992B57
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01968B42 mov eax, dword ptr fs:[00000030h]	3_2_01968B42
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956B40 mov eax, dword ptr fs:[00000030h]	3_2_01956B40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01956B40 mov eax, dword ptr fs:[00000030h]	3_2_01956B40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0198AB40 mov eax, dword ptr fs:[00000030h]	3_2_0198AB40
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018B8B50 mov eax, dword ptr fs:[00000030h]	3_2_018B8B50
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01974B4B mov eax, dword ptr fs:[00000030h]	3_2_01974B4B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01974B4B mov eax, dword ptr fs:[00000030h]	3_2_01974B4B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018BCB7E mov eax, dword ptr fs:[00000030h]	3_2_018BCB7E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018CEA80 mov eax, dword ptr fs:[00000030h]	3_2_018CEA80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01994A80 mov eax, dword ptr fs:[00000030h]	3_2_01994A80
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F8A90 mov edx, dword ptr fs:[00000030h]	3_2_018F8A90
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8AA0 mov eax, dword ptr fs:[00000030h]	3_2_018C8AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C8AA0 mov eax, dword ptr fs:[00000030h]	3_2_018C8AA0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01916AA4 mov eax, dword ptr fs:[00000030h]	3_2_01916AA4
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C0AD0 mov eax, dword ptr fs:[00000030h]	3_2_018C0AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h]	3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h]	3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_01916ACC mov eax, dword ptr fs:[00000030h]	3_2_01916ACC
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F4AD0 mov eax, dword ptr fs:[00000030h]	3_2_018F4AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018F4AD0 mov eax, dword ptr fs:[00000030h]	3_2_018F4AD0
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FAAEE mov eax, dword ptr fs:[00000030h]	3_2_018FAAEE
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FAAEE mov eax, dword ptr fs:[00000030h]	3_2_018FAAEE
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_0194CA11 mov eax, dword ptr fs:[00000030h]	3_2_0194CA11
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018EEA2E mov eax, dword ptr fs:[00000030h]	3_2_018EEA2E
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FCA24 mov eax, dword ptr fs:[00000030h]	3_2_018FCA24
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018FCA38 mov eax, dword ptr fs:[00000030h]	3_2_018FCA38
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E4A35 mov eax, dword ptr fs:[00000030h]	3_2_018E4A35
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018E4A35 mov eax, dword ptr fs:[00000030h]	3_2_018E4A35
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0A5B mov eax, dword ptr fs:[00000030h]	3_2_018D0A5B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018D0A5B mov eax, dword ptr fs:[00000030h]	3_2_018D0A5B
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C6A50 mov eax, dword ptr fs:[00000030h]	3_2_018C6A50
Source: C:\Users\user\Desktop\DOC_PDF.exe	Code function: 3_2_018C6A50 mov eax, dword ptr fs:[00000030h]	3_2_018C6A50

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002B602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,

5_2_002B602D

Source: C:\Users\user\Desktop\DOC_PDF.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002D0C80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_002D0C80

Source: C:\Users\user\Desktop\DOC_PDF.exe

Memory allocated: page read and write | page guard

Found direct / indirect Syscall (likely to bypass EDR)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\DOC_PDF.exe	NtQueueApcThread: Indirect: 0x187A4F2			Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	NtClose: Indirect: 0x187A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DOC_PDF.exe

Memory written: C:\Users\user\Desktop\DOC_PDF.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DOC_PDF.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DOC_PDF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DOC_PDF.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 280000

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002A2710 memset,GetModuleFileNameW,GetLastError,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError,

5_2_002A2710

Source: C:\Users\user\Desktop\DOC_PDF.exe	Process created: C:\Users\user\Desktop\DOC_PDF.exe "C:\Users\user\Desktop\DOC_PDF.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DOC_PDF.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000003.3828353043.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.4506324559.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.4503812385.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2043823807.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.2043320694.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502583953.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Users\user\Desktop\DOC_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002B7E50 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,

5_2_002B7E50

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_002B7A8E GetSystemTime,

5_2_002B7A8E

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 5_2_00294764 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree,

5_2_00294764

Source: C:\Users\user\Desktop\DOC_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DOC_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	513 Process Injection	4 Obfuscated Files or Information	NTDS	213 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	513 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DOC_PDF.exe	58%	ReversingLabs	Win32.Backdoor.FormBook
DOC_PDF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://word.office.comon	0%	Avira URL Cloud	safe
http://www.resdai.xyzReferer:	0%	Avira URL Cloud	safe
http://www.bykmr.shop/b31a/www.utebolshirts.shop	0%	Avira URL Cloud	safe
http://www.indjuvedermdoctorsnearby.todayReferer:	0%	Avira URL Cloud	safe
http://www.rojectleadzone.website/b31a/	0%	Avira URL Cloud	safe
https://powerpoint.office.comcember	0%	Avira URL Cloud	safe
http://www.hegdg.netReferer:	0%	Avira URL Cloud	safe
http://www.resdai.xyz	0%	Avira URL Cloud	safe
http://www.ashforhouse19.onlineReferer:	0%	Avira URL Cloud	safe
http://www.rojectleadzone.website	0%	Avira URL Cloud	safe
http://www.resdai.xyz/b31a/	0%	Avira URL Cloud	safe
www.awlc7038.vip/b31a/	0%	Avira URL Cloud	safe
http://www.awlc7038.vip/b31a/www.rojectleadzone.website	0%	Avira URL Cloud	safe
http://www.igh-class-jewelry.infoReferer:	0%	Avira URL Cloud	safe
http://www.2239d3.christmasReferer:	0%	Avira URL Cloud	safe
http://www.aemoruhagic.click/b31a/www.-web-p102.buzz	0%	Avira URL Cloud	safe
http://www.utebolshirts.shop/b31a/www.resdai.xyz	0%	Avira URL Cloud	safe
http://www.utebolshirts.shop	0%	Avira URL Cloud	safe
http://www.olf-cart-82894.bond	0%	Avira URL Cloud	safe
http://www.igh-class-jewelry.info/b31a/	0%	Avira URL Cloud	safe
http://www.indjuvedermdoctorsnearby.today/b31a/	0%	Avira URL Cloud	safe
http://www.rojectleadzone.websiteReferer:	0%	Avira URL Cloud	safe
http://www.indjuvedermdoctorsnearby.today	0%	Avira URL Cloud	safe
http://www.autoitscript.E	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	Avira URL Cloud	safe
http://www.ewancash.boats	0%	Avira URL Cloud	safe
http://www.indjuvedermdoctorsnearby.today/b31a/www.ashforhouse19.online	0%	Avira URL Cloud	safe
http://www.utebolshirts.shop/b31a/	0%	Avira URL Cloud	safe
http://www.olf-cart-82894.bond/b31a/www.hewieandfriends.info	0%	Avira URL Cloud	safe
http://www.awlc7038.vip/b31a/	0%	Avira URL Cloud	safe
http://www.ewancash.boatsReferer:	0%	Avira URL Cloud	safe
http://www.48827496.topReferer:	0%	Avira URL Cloud	safe
http://www.aemoruhagic.clickReferer:	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://wns.windows.com/)s	0%	Avira URL Cloud	safe
http://www.-web-p102.buzz/b31a/www.indjuvedermdoctorsnearby.today	0%	Avira URL Cloud	safe
http://www.igh-class-jewelry.info	0%	Avira URL Cloud	safe
http://www.-web-p102.buzz	0%	Avira URL Cloud	safe
http://www.2239d3.christmas/b31a/	0%	Avira URL Cloud	safe
http://www.hegdg.net	0%	Avira URL Cloud	safe
http://www.hewieandfriends.info/b31a/www.ewancash.boats	0%	Avira URL Cloud	safe
http://www.48827496.top	0%	Avira URL Cloud	safe
http://www.48827496.top/b31a/	0%	Avira URL Cloud	safe
http://www.bykmr.shopReferer:	0%	Avira URL Cloud	safe
http://www.ashforhouse19.online	0%	Avira URL Cloud	safe
http://www.awlc7038.vip	0%	Avira URL Cloud	safe
http://www.igh-class-jewelry.info/b31a/www.48827496.top	0%	Avira URL Cloud	safe
http://www.ewancash.boats/b31a/www.igh-class-jewelry.info	0%	Avira URL Cloud	safe
http://www.-web-p102.buzz/b31a/	0%	Avira URL Cloud	safe
http://www.hewieandfriends.infoReferer:	0%	Avira URL Cloud	safe
http://www.-web-p102.buzzReferer:	0%	Avira URL Cloud	safe
http://www.resdai.xyz/b31a/www.hegdg.net	0%	Avira URL Cloud	safe
http://www.rojectleadzone.website/b31a/www.olf-cart-82894.bond	0%	Avira URL Cloud	safe
http://www.olf-cart-82894.bond/b31a/	0%	Avira URL Cloud	safe
https://outlook.com	0%	Avira URL Cloud	safe
http://www.ewancash.boats/b31a/	0%	Avira URL Cloud	safe
http://www.hewieandfriends.info	0%	Avira URL Cloud	safe
http://www.hegdg.net/b31a/	0%	Avira URL Cloud	safe
http://www.bykmr.shop/b31a/	0%	Avira URL Cloud	safe
http://www.hewieandfriends.info/b31a/	0%	Avira URL Cloud	safe
http://www.aemoruhagic.click	0%	Avira URL Cloud	safe
http://www.bykmr.shop	0%	Avira URL Cloud	safe
http://www.2239d3.christmas/b31a/h	0%	Avira URL Cloud	safe
http://www.2239d3.christmas	0%	Avira URL Cloud	safe
http://www.utebolshirts.shopReferer:	0%	Avira URL Cloud	safe
http://www.aemoruhagic.click/b31a/	0%	Avira URL Cloud	safe
http://www.olf-cart-82894.bondReferer:	0%	Avira URL Cloud	safe
http://www.hegdg.net/b31a/www.aemoruhagic.click	0%	Avira URL Cloud	safe
http://www.48827496.top/b31a/www.bykmr.shop	0%	Avira URL Cloud	safe
http://www.awlc7038.vipReferer:	0%	Avira URL Cloud	safe
http://www.ashforhouse19.online/b31a/www.2239d3.christmas	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe
http://www.ashforhouse19.online/b31a/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.awlc7038.vip	unknown	unknown	true	unknown
www.48827496.top	unknown	unknown	true	unknown
www.olf-cart-82894.bond	unknown	unknown	true	unknown
www.ewancash.boats	unknown	unknown	true	unknown
www.aemoruhagic.click	unknown	unknown	true	unknown
www.rojectleadzone.website	unknown	unknown	true	unknown
www.bykmr.shop	unknown	unknown	true	unknown
www.utebolshirts.shop	unknown	unknown	true	unknown
www.hegdg.net	unknown	unknown	true	unknown
www.hewieandfriends.info	unknown	unknown	true	unknown
www.igh-class-jewelry.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.awlc7038.vip/b31a/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.resdai.xyzReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rojectleadzone.website	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rojectleadzone.website/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indjuvedermdoctorsnearby.todayReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.resdai.xyz	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bykmr.shop/b31a/www.utebolshirts.shop	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hegdg.netReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000004.00000002.4516483645.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ashforhouse19.onlineReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awlc7038.vip/b31a/www.rojectleadzone.website	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.resdai.xyz/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.utebolshirts.shop	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000004.00000003.3828353043.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513465744.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000004.00000000.2057955900.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508804572.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2057404332.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.igh-class-jewelry.infoReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olf-cart-82894.bond	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.igh-class-jewelry.info/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aemoruhagic.click/b31a/www.-web-p102.buzz	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.utebolshirts.shop/b31a/www.resdai.xyz	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2239d3.christmasReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indjuvedermdoctorsnearby.today/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.E	explorer.exe, 00000004.00000003.3825649798.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102191852.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062761599.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indjuvedermdoctorsnearby.today	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rojectleadzone.websiteReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.utebolshirts.shop/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olf-cart-82894.bond/b31a/www.hewieandfriends.info	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ewancash.boats	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000004.00000002.4516483645.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2062045915.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indjuvedermdoctorsnearby.today/b31a/www.ashforhouse19.online	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awlc7038.vip/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ewancash.boatsReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.48827496.topReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aemoruhagic.clickReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.igh-class-jewelry.info	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000004.00000003.3094195569.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510666183.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.2062761599.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095300966.000000000C8DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3093866051.000000000C8BC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.-web-p102.buzz/b31a/www.indjuvedermdoctorsnearby.today	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.-web-p102.buzz	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2239d3.christmas/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hegdg.net	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.48827496.top	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hewieandfriends.info/b31a/www.ewancash.boats	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.48827496.top/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ashforhouse19.online	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bykmr.shopReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awlc7038.vip	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.igh-class-jewelry.info/b31a/www.48827496.top	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ewancash.boats/b31a/www.igh-class-jewelry.info	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.-web-p102.buzz/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hewieandfriends.infoReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.-web-p102.buzzReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.resdai.xyz/b31a/www.hegdg.net	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rojectleadzone.website/b31a/www.olf-cart-82894.bond	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olf-cart-82894.bond/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000004.00000000.2058647031.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4513550393.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095363087.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3826265427.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3827270143.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hewieandfriends.info	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ewancash.boats/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hegdg.net/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bykmr.shop/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hewieandfriends.info/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aemoruhagic.click	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000003.3827896321.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4506643376.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056628232.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bykmr.shop	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2239d3.christmas/b31a/h	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2239d3.christmas	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000004.00000002.4510666183.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2058647031.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094195569.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.utebolshirts.shopReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aemoruhagic.click/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ashforhouse19.online/b31a/www.2239d3.christmas	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olf-cart-82894.bondReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hegdg.net/b31a/www.aemoruhagic.click	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.48827496.top/b31a/www.bykmr.shop	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awlc7038.vipReferer:	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000004.00000000.2043320694.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502583953.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ashforhouse19.online/b31a/	explorer.exe, 00000004.00000002.4504664201.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100427962.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095856297.000000000353D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519409
Start date and time:	2024-09-26 13:44:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DOC_PDF.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@11/0
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 114 Number of non-executed functions: 370
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorer.exe, PID 1028 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: DOC_PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
07:44:58	API Interceptor	1x Sleep call for process: DOC_PDF.exe modified
07:45:01	API Interceptor	8919275x Sleep call for process: explorer.exe modified
07:45:41	API Interceptor	7922880x Sleep call for process: msdt.exe modified

Process:	C:\Users\user\Desktop\DOC_PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.798054982173893
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	DOC_PDF.exe
File size:	611'328 bytes
MD5:	debff2e29172e4c6b07a62a5d7b8a6b4
SHA1:	6e2073a1f0dbd338f0a8673f35b8628581fac402
SHA256:	874c6faee7e17445012c0f573c29dde997a71cc86e15fc3152a22365cf83bdf1
SHA512:	565cccea3f2b0214e64e352a0676465c6b6792da5d7f77a9e97463c7ebb0fd8ab71baa835fa586268c425aa01577cf5ff5a3d7f652a9c1f6fb568757713b59f1
SSDEEP:	12288:v0FSVDrE1Sytj7ueTw98NxmngEFTas9VdqJGQ/UUakA/k3Q8bQbZ:I1Sytj71LSdOqa4UakZTI
TLSH:	40D401052656C913D4EA4FF409B1D6B8527A2E9EA916C30B9FDEBEDF7C3A3421940343
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J..........fh... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x496866
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCCFF9492 [Mon Dec 26 17:36:18 2078 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96811	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x94ef8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9486c	0x94a00	88d25af99f4fbced339e4a5f26bb9885	False	0.9201255650756939	data	7.806630339806879	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x5b4	0x600	8b2686e544781396c07b7ab3c05a6dcb	False	0.4231770833333333	data	4.096483433036811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	4f4a9ca30ab2e8dbdba16650bbada546	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x98090	0x324	data			0.43407960199004975
RT_MANIFEST	0x983c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 13:45:34.016469955 CEST	65387	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:45:34.025757074 CEST	53	65387	1.1.1.1	192.168.2.5
Sep 26, 2024 13:45:55.797008038 CEST	51227	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:45:55.807245016 CEST	53	51227	1.1.1.1	192.168.2.5
Sep 26, 2024 13:46:14.644463062 CEST	64371	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:46:14.657212019 CEST	53	64371	1.1.1.1	192.168.2.5
Sep 26, 2024 13:46:35.070553064 CEST	61088	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:46:35.086643934 CEST	53	61088	1.1.1.1	192.168.2.5
Sep 26, 2024 13:46:56.610105991 CEST	64659	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:46:56.620161057 CEST	53	64659	1.1.1.1	192.168.2.5
Sep 26, 2024 13:47:17.049792051 CEST	53345	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:47:17.065444946 CEST	53	53345	1.1.1.1	192.168.2.5
Sep 26, 2024 13:47:37.860259056 CEST	63728	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:47:38.333216906 CEST	53	63728	1.1.1.1	192.168.2.5
Sep 26, 2024 13:47:58.901911020 CEST	57580	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:47:58.914411068 CEST	53	57580	1.1.1.1	192.168.2.5
Sep 26, 2024 13:48:19.814678907 CEST	51750	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:48:19.827140093 CEST	53	51750	1.1.1.1	192.168.2.5
Sep 26, 2024 13:49:00.621493101 CEST	59378	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:49:01.149178982 CEST	53	59378	1.1.1.1	192.168.2.5
Sep 26, 2024 13:49:21.876873970 CEST	63371	53	192.168.2.5	1.1.1.1
Sep 26, 2024 13:49:21.895679951 CEST	53	63371	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 13:45:34.016469955 CEST	192.168.2.5	1.1.1.1	0x161	Standard query (0)	www.awlc7038.vip	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:45:55.797008038 CEST	192.168.2.5	1.1.1.1	0x9203	Standard query (0)	www.rojectleadzone.website	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:14.644463062 CEST	192.168.2.5	1.1.1.1	0xfc44	Standard query (0)	www.olf-cart-82894.bond	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:35.070553064 CEST	192.168.2.5	1.1.1.1	0x3817	Standard query (0)	www.hewieandfriends.info	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:56.610105991 CEST	192.168.2.5	1.1.1.1	0x67b9	Standard query (0)	www.ewancash.boats	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:17.049792051 CEST	192.168.2.5	1.1.1.1	0x2864	Standard query (0)	www.igh-class-jewelry.info	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:37.860259056 CEST	192.168.2.5	1.1.1.1	0xe73b	Standard query (0)	www.48827496.top	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:58.901911020 CEST	192.168.2.5	1.1.1.1	0x75cd	Standard query (0)	www.bykmr.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:48:19.814678907 CEST	192.168.2.5	1.1.1.1	0x552a	Standard query (0)	www.utebolshirts.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:49:00.621493101 CEST	192.168.2.5	1.1.1.1	0x8664	Standard query (0)	www.hegdg.net	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:49:21.876873970 CEST	192.168.2.5	1.1.1.1	0x6ea4	Standard query (0)	www.aemoruhagic.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 13:45:34.025757074 CEST	1.1.1.1	192.168.2.5	0x161	Name error (3)	www.awlc7038.vip	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:45:55.807245016 CEST	1.1.1.1	192.168.2.5	0x9203	Name error (3)	www.rojectleadzone.website	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:14.657212019 CEST	1.1.1.1	192.168.2.5	0xfc44	Name error (3)	www.olf-cart-82894.bond	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:35.086643934 CEST	1.1.1.1	192.168.2.5	0x3817	Name error (3)	www.hewieandfriends.info	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:46:56.620161057 CEST	1.1.1.1	192.168.2.5	0x67b9	Name error (3)	www.ewancash.boats	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:17.065444946 CEST	1.1.1.1	192.168.2.5	0x2864	Name error (3)	www.igh-class-jewelry.info	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:38.333216906 CEST	1.1.1.1	192.168.2.5	0xe73b	Name error (3)	www.48827496.top	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:47:58.914411068 CEST	1.1.1.1	192.168.2.5	0x75cd	Name error (3)	www.bykmr.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:48:19.827140093 CEST	1.1.1.1	192.168.2.5	0x552a	Name error (3)	www.utebolshirts.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:49:01.149178982 CEST	1.1.1.1	192.168.2.5	0x8664	Name error (3)	www.hegdg.net	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 13:49:21.895679951 CEST	1.1.1.1	192.168.2.5	0x6ea4	Name error (3)	www.aemoruhagic.click	none	none	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE1

Target ID:	0
Start time:	07:44:57
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DOC_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DOC_PDF.exe"
Imagebase:	0xed0000
File size:	611'328 bytes
MD5 hash:	DEBFF2E29172E4C6B07A62A5D7B8A6B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2063004300.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2063004300.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	07:44:58
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DOC_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DOC_PDF.exe"
Imagebase:	0xe00000
File size:	611'328 bytes
MD5 hash:	DEBFF2E29172E4C6B07A62A5D7B8A6B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2101927673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	07:44:58
Start date:	26/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.4519710590.0000000010520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	07:45:01
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msdt.exe"
Imagebase:	0x280000
File size:	389'632 bytes
MD5 hash:	BAA4458E429E7C906560FE4541ADFCFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4503198454.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4503303380.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4502522007.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Target ID:	6
Start time:	07:45:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\DOC_PDF.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	07:45:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true