Windows Analysis Report
62402781, Fiyat Teklif Talebi.pdf.exe

Overview

General Information

Sample name: 62402781, Fiyat Teklif Talebi.pdf.exe
Analysis ID: 1430787
MD5: 52e4f8ee79c595a890bc451dfbbbb9f4
SHA1: 12b24cc207161c893d5c87fc12453c083275d11f
SHA256: 0766dcf703dbf0243d873fff3b325054eee96ce58a9753ac8aa9891c311b4434
Tags: AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["mail.musabody.com"]}
Multi AV Scanner detection for submitted file
Source: 62402781, Fiyat Teklif Talebi.pdf.exe ReversingLabs: Detection: 52%
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Virustotal: Detection: 48% Perma Link
Machine Learning detection for sample
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source: Binary string: wntdll.pdbUGP source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0082DBBE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007FC2A2 FindFirstFileExW, 0_2_007FC2A2
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008368EE FindFirstFileW,FindClose, 0_2_008368EE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0083698F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0082D076
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0082D3A9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00839642
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0083979D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00839B2B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00835C97

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 108.167.140.123:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49712 -> 108.167.140.123:587
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mail.musabody.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49712 -> 108.167.140.123:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49712 -> 108.167.140.123:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_0083CE44
Source: unknown DNS traffic detected: queries for: mail.musabody.com
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.musabody.com
Source: RegSvcs.exe, 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, POq2Ux.cs .Net Code: _4H57oeN1J
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0600A268 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0600A8C0,00000000,00000000 4_2_0600A268
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0083EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0083ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0083EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_0082AA57
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00859576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00859576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: 62402781, Fiyat Teklif Talebi.pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000000.2004997068.0000000000882000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_976eb398-3
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000000.2004997068.0000000000882000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8c62133b-2
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028136586.0000000000882000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9ff3d474-f
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028136586.0000000000882000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_463114a5-a
Source: 62402781, Fiyat Teklif Talebi.pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2c7e1c25-5
Source: 62402781, Fiyat Teklif Talebi.pdf.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_6b0cda2d-6
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 62402781, Fiyat Teklif Talebi.pdf.exe
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_0082D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00821201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0082E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C8060 0_2_007C8060
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00832046 0_2_00832046
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00828298 0_2_00828298
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007FE4FF 0_2_007FE4FF
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007F676B 0_2_007F676B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00854873 0_2_00854873
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007CCAF0 0_2_007CCAF0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007ECAA0 0_2_007ECAA0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007DCC39 0_2_007DCC39
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007F6DD9 0_2_007F6DD9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007DB119 0_2_007DB119
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C91C0 0_2_007C91C0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E1394 0_2_007E1394
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E1706 0_2_007E1706
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E781B 0_2_007E781B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007D997D 0_2_007D997D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C7920 0_2_007C7920
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E19B0 0_2_007E19B0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E7A4A 0_2_007E7A4A
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E1C77 0_2_007E1C77
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E7CA7 0_2_007E7CA7
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007F9EEE 0_2_007F9EEE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0084BE44 0_2_0084BE44
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E1F32 0_2_007E1F32
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_01903640 0_2_01903640
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 3_2_011E3640 3_2_011E3640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00408C60 4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040DC11 4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00407C3F 4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418CCC 4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00406CA0 4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004028B0 4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041A4BE 4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418244 4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401650 4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402F20 4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004193C4 4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418788 4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402F89 4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402B90 4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004073A0 4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0271DCB0 4_2_0271DCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0271D098 4_2_0271D098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0271D3E0 4_2_0271D3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02710FD0 4_2_02710FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02711030 4_2_02711030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FC4938 4_2_05FC4938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FCA7B8 4_2_05FCA7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FC7BB8 4_2_05FC7BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FCC368 4_2_05FCC368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FC0108 4_2_05FC0108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FC00F9 4_2_05FC00F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FCD478 4_2_05FCD478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0600161C 4_2_0600161C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_06001610 4_2_06001610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_060035D0 4_2_060035D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_06149360 4_2_06149360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_061458A8 4_2_061458A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_061410D0 4_2_061410D0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: String function: 007DF9F2 appears 40 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: String function: 007C9CB3 appears 31 times
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: String function: 007E0A30 appears 46 times
Sample file is different than original file name gathered from version info
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013287474.00000000044CD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004323000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2026090146.0000000003C73000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024613808.0000000003E1D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 62402781, Fiyat Teklif Talebi.pdf.exe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs 62402781, Fiyat Teklif Talebi.pdf.exe
Uses 32bit PE files
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, ZTFEpdjP8zw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WnRNxU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, 2njIk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, I5ElxL.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/10@1/1
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008337B5 GetLastError,FormatMessageW, 0_2_008337B5
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008210BF AdjustTokenPrivileges,CloseHandle, 0_2_008210BF
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_008216C3
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_008351CD
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0084A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0084A67C
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0083648E
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_007C42A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\ctsdvwT Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe File created: C:\Users\user\AppData\Local\Temp\aut32DD.tmp Jump to behavior
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477550403.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 62402781, Fiyat Teklif Talebi.pdf.exe ReversingLabs: Detection: 52%
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Virustotal: Detection: 48%
Source: unknown Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static file information: File size 1209856 > 1048576
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source: Binary string: wntdll.pdbUGP source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013710069.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000000.00000003.2013148328.0000000004200000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2025312823.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, 62402781, Fiyat Teklif Talebi.pdf.exe, 00000003.00000003.2024412542.0000000003B50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000005.00000000.2142766619.0000000000342000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.4.dr
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007C42DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E0A76 push ecx; ret 0_2_007E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C40C push cs; iretd 4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00423149 push eax; ret 4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C50E push cs; iretd 4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004231C8 push eax; ret 4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040E21D push ecx; ret 4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C6BE push ebx; ret 4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_02714316 pushfd ; iretd 4_2_02714319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FCFDA3 push 14418B05h; ret 4_2_05FCFDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_05FCFF30 push 18418B05h; ret 4_2_05FCFF43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_060025E1 push 10418B05h; ret 4_2_060025F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_060014AC push 04418B05h; ret 4_2_060026E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_06003270 push 0C418B05h; ret 4_2_06003283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_060073F8 pushfd ; retf 4_2_06007405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_06003190 push 14418B05h; ret 4_2_060031C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_060031D0 push 24418B05h; ret 4_2_06003223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0600BCC1 push es; ret 4_2_0600BCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_06145120 push 24418B05h; ret 4_2_06145133
Source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IuVLqWDm5xkXP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: 62402781, Fiyat Teklif Talebi.pdf.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_007DF98E
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00851C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00851C41
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 3010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 32A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 4_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399282 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1713 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe API coverage: 4.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6396 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5788 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0082DBBE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007FC2A2 FindFirstFileExW, 0_2_007FC2A2
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008368EE FindFirstFileW,FindClose, 0_2_008368EE
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0083698F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0082D076
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0082D3A9
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00839642
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0083979D
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00839B2B
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00835C97
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007C42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399282 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000004.00000002.4479098874.0000000005463000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0083EAA2 BlockInput, 0_2_0083EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007F2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 4_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007C42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E4CE8 mov eax, dword ptr fs:[00000030h] 0_2_007E4CE8
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_01903530 mov eax, dword ptr fs:[00000030h] 0_2_01903530
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_019034D0 mov eax, dword ptr fs:[00000030h] 0_2_019034D0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_01901ED0 mov eax, dword ptr fs:[00000030h] 0_2_01901ED0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 3_2_011E3530 mov eax, dword ptr fs:[00000030h] 3_2_011E3530
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 3_2_011E34D0 mov eax, dword ptr fs:[00000030h] 3_2_011E34D0
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 3_2_011E1ED0 mov eax, dword ptr fs:[00000030h] 3_2_011E1ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00820B62
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007F2622
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007E083F
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E09D5 SetUnhandledExceptionFilter, 0_2_007E09D5
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007E0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004123F1 SetUnhandledExceptionFilter, 4_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8F4008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00821201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00802BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00802BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0082B226 SendInput,keybd_event, 0_2_0082B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_008422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_008422DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00820B62
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00821663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00821663
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4477550403.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}r
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq8<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}THjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq9<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}rTHjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}rTeeq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\eqDTime: 06/24/2024 01:10:13<br>User Name: user<br>Computer Name: 888683<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}r
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq?<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}rTHjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq><b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>{Win}r{Win}THjq
Source: RegSvcs.exe, 00000004.00000002.4477550403.0000000002C65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq3<b>[ Program Manager]</b> (24/04/2024 21:58:41)<br>
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007E0698 cpuid 0_2_007E0698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 4_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00838195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00838195
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_0081D27A GetUserNameW, 0_2_0081D27A
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_007FB952
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007C42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_81
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_XP
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_XPe
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_VISTA
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_7
Source: 62402781, Fiyat Teklif Talebi.pdf.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477550403.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6380, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.284f326.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c53790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.285020e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.4f80ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c05570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.3c06458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4478825665.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4477299535.000000000280F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478416946.0000000004F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4478163041.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.62402781, Fiyat Teklif Talebi.pdf.exe.11f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.62402781, Fiyat Teklif Talebi.pdf.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4475963234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2028748340.00000000011F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016173689.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00841204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00841204
Source: C:\Users\user\Desktop\62402781, Fiyat Teklif Talebi.pdf.exe Code function: 0_2_00841806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00841806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430787 Sample: 62402781, Fiyat Teklif Tale... Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 31 mail.musabody.com 2->31 35 Snort IDS alert for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 13 other signatures 2->41 8 62402781, Fiyat Teklif Talebi.pdf.exe 4 2->8         started        11 ctsdvwT.exe 2 2->11         started        13 ctsdvwT.exe 1 2->13         started        signatures3 process4 signatures5 43 Binary is likely a compiled AutoIt script file 8->43 15 62402781, Fiyat Teklif Talebi.pdf.exe 2 8->15         started        18 RegSvcs.exe 8->18         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        process6 signatures7 53 Binary is likely a compiled AutoIt script file 15->53 55 Writes to foreign memory regions 15->55 57 Maps a DLL or memory area into another process 15->57 24 RegSvcs.exe 1 4 15->24         started        59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->59 61 Contains functionality to register a low level keyboard hook 18->61 process8 dnsIp9 33 mail.musabody.com 108.167.140.123, 49712, 587 UNIFIEDLAYER-AS-1US United States 24->33 29 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 24->29 dropped 45 Tries to steal Mail credentials (via file / registry access) 24->45 47 Tries to harvest and steal browser information (history, passwords, etc) 24->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->49 51 Installs a global keyboard hook 24->51 file10 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.167.140.123
 mail.musabody.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.musabody.com 108.167.140.123 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mail.musabody.com true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown