Loading ...

Play interactive tourEdit tour

Analysis Report SAMPLE ORDER pdf.exe

Overview

General Information

Sample Name:SAMPLE ORDER pdf.exe
Analysis ID:286584
MD5:eb575f4502d47d85e7ba7a5655d83bbd
SHA1:61190629a70ca90ae31b2691f17f640fc84d891e
SHA256:2b44cba8f72f0539ac1b96b10decf933339427b7ab2959f4b2f1f7211a3d5bb3
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • SAMPLE ORDER pdf.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\SAMPLE ORDER pdf.exe' MD5: EB575F4502D47D85E7BA7A5655D83BBD)
    • schtasks.exe (PID: 6616 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • YYtJku.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: EB575F4502D47D85E7BA7A5655D83BBD)
    • schtasks.exe (PID: 5792 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp3EF4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • YYtJku.exe (PID: 4796 cmdline: {path} MD5: EB575F4502D47D85E7BA7A5655D83BBD)
  • YYtJku.exe (PID: 4156 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: EB575F4502D47D85E7BA7A5655D83BBD)
    • schtasks.exe (PID: 4900 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp60A5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • YYtJku.exe (PID: 4800 cmdline: {path} MD5: EB575F4502D47D85E7BA7A5655D83BBD)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "fwl9JgBuCgySg", "URL: ": "http://YySCvmz7lOdeBIx.org", "To: ": "lu.baorong@ivqspa.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "hgecQ", "From: ": "lu.baorong@ivqspa.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.645151885.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.645172658.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.519677222.0000000003BE5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.533438429.0000000003906000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.419759586.0000000003A88000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.SAMPLE ORDER pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              13.2.YYtJku.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                17.2.YYtJku.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAMPLE ORDER pdf.exe' , ParentImage: C:\Users\user\Desktop\SAMPLE ORDER pdf.exe, ParentProcessId: 6424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp', ProcessId: 6616

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: SAMPLE ORDER pdf.exe.6680.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "fwl9JgBuCgySg", "URL: ": "http://YySCvmz7lOdeBIx.org", "To: ": "lu.baorong@ivqspa.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "hgecQ", "From: ": "lu.baorong@ivqspa.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\CWGcQKxFZ.exeVirustotal: Detection: 41%Perma Link
                  Source: C:\Users\user\AppData\Roaming\CWGcQKxFZ.exeReversingLabs: Detection: 22%
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeVirustotal: Detection: 41%Perma Link
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeReversingLabs: Detection: 22%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: SAMPLE ORDER pdf.exeVirustotal: Detection: 41%Perma Link
                  Source: SAMPLE ORDER pdf.exeReversingLabs: Detection: 22%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\CWGcQKxFZ.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: SAMPLE ORDER pdf.exeJoe Sandbox ML: detected
                  Source: 5.2.SAMPLE ORDER pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 13.2.YYtJku.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 17.2.YYtJku.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: global trafficTCP traffic: 192.168.2.3:49713 -> 208.91.198.143:587
                  Source: global trafficTCP traffic: 192.168.2.3:49716 -> 208.91.199.224:587
                  Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                  Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                  Source: global trafficTCP traffic: 192.168.2.3:49713 -> 208.91.198.143:587
                  Source: global trafficTCP traffic: 192.168.2.3:49716 -> 208.91.199.224:587
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                  Source: YYtJku.exe, 0000000D.00000002.650496571.0000000003284000.00000004.00000001.sdmpString found in binary or memory: http://YySCvmz7lOdeBIx.org
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659488721.0000000006125000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.653414427.00000000033AF000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659488721.0000000006125000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.653414427.00000000033AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.416312969.0000000002D7E000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.513987719.0000000002EDE000.00000004.00000001.sdmp, YYtJku.exe, 0000000A.00000002.528964798.0000000002BFE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.411034630.0000000002A31000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.510145921.0000000002B91000.00000004.00000001.sdmp, YYtJku.exe, 0000000A.00000002.526274733.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.649693101.0000000002B6C000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.653318370.00000000033A2000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.423845795.0000000006A42000.00000004.00000001.sdmp, YYtJku.exe, 00000009.00000002.523292637.0000000005A70000.00000002.00000001.sdmp, YYtJku.exe, 0000000A.00000002.542937441.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659488721.0000000006125000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.653414427.00000000033AF000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: YYtJku.exe, 00000009.00000002.507449281.0000000000D88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: SAMPLE ORDER pdf.exe
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_00E4E4480_2_00E4E448
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_00E4E4580_2_00E4E458
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_00E4B7FC0_2_00E4B7FC
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_04F88DEF0_2_04F88DEF
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_00DDDAE85_2_00DDDAE8
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B07B05_2_027B07B0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B04485_2_027B0448
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B24DC5_2_027B24DC
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B89585_2_027B8958
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B36E05_2_027B36E0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B43D15_2_027B43D1
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B04205_2_027B0420
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B24D05_2_027B24D0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B89485_2_027B8948
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B35F15_2_027B35F1
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B7B415_2_027B7B41
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B7F2E5_2_027B7F2E
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_027B7FA95_2_027B7FA9
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060507085_2_06050708
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06053C005_2_06053C00
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605AC485_2_0605AC48
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06057D205_2_06057D20
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06059A185_2_06059A18
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06055B405_2_06055B40
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060523A85_2_060523A8
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060528285_2_06052828
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605B8705_2_0605B870
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060560D05_2_060560D0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060581485_2_06058148
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605C9575_2_0605C957
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060536985_2_06053698
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060577F05_2_060577F0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605AC385_2_0605AC38
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06057D1F5_2_06057D1F
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605AD565_2_0605AD56
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060535785_2_06053578
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605D2295_2_0605D229
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06059ABA5_2_06059ABA
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06059B265_2_06059B26
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06059B365_2_06059B36
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06055B305_2_06055B30
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060523995_2_06052399
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06053BF05_2_06053BF0
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060500065_2_06050006
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060578005_2_06057800
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060528195_2_06052819
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060500405_2_06050040
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605B8605_2_0605B860
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060540A55_2_060540A5
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060560C15_2_060560C1
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605813B5_2_0605813B
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605715F5_2_0605715F
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605719E5_2_0605719E
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_060509A25_2_060509A2
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064EA6F85_2_064EA6F8
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E56705_2_064E5670
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00EEE4489_2_00EEE448
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00EEE4589_2_00EEE458
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00EEB7FC9_2_00EEB7FC
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070665A09_2_070665A0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0706B4A09_2_0706B4A0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_07068E709_2_07068E70
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070639C09_2_070639C0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070658C09_2_070658C0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070606D89_2_070606D8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070606E89_2_070606E8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070665909_2_07066590
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070604E19_2_070604E1
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070604F09_2_070604F0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0706120D9_2_0706120D
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070602519_2_07060251
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070602609_2_07060260
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070642689_2_07064268
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070652709_2_07065270
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070612789_2_07061278
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070652809_2_07065280
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070642B09_2_070642B0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070600069_2_07060006
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070600409_2_07060040
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_07063C589_2_07063C58
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_07066A109_2_07066A10
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_07067A319_2_07067A31
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070699589_2_07069958
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070639B09_2_070639B0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070658959_2_07065895
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070648B89_2_070648B8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A78E7010_2_06A78E70
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A75F3810_2_06A75F38
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7B4A010_2_06A7B4A0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A765A010_2_06A765A0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A739C010_2_06A739C0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A742B010_2_06A742B0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7528010_2_06A75280
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A706E810_2_06A706E8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A706D810_2_06A706D8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A77A3110_2_06A77A31
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A76A1010_2_06A76A10
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7026010_2_06A70260
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7527010_2_06A75270
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7127810_2_06A71278
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7125710_2_06A71257
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7025110_2_06A70251
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A75F2810_2_06A75F28
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A748B810_2_06A748B8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A704E110_2_06A704E1
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A704F010_2_06A704F0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7000710_2_06A70007
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7004010_2_06A70040
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A73C4810_2_06A73C48
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A73C5810_2_06A73C58
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A739B010_2_06A739B0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7659210_2_06A76592
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7995810_2_06A79958
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F767013_2_067F7670
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F8F6013_2_067F8F60
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F1CE013_2_067F1CE0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F549013_2_067F5490
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F355013_2_067F3550
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F5A2013_2_067F5A20
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FC2A813_2_067FC2A8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F7A9813_2_067F7A98
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FC33013_2_067FC330
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F004013_2_067F0040
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F216013_2_067F2160
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FB1C013_2_067FB1C0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F766013_2_067F7660
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F2EC813_2_067F2EC8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F2FE813_2_067F2FE8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F1C7013_2_067F1C70
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F1C5013_2_067F1C50
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F548013_2_067F5480
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F5A1013_2_067F5A10
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F6AEE13_2_067F6AEE
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F02DA13_2_067F02DA
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F92C813_2_067F92C8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F6AB413_2_067F6AB4
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FA29E13_2_067FA29E
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F7A8813_2_067F7A88
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F837B13_2_067F837B
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F838813_2_067F8388
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F907E13_2_067F907E
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F906E13_2_067F906E
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F900213_2_067F9002
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F215013_2_067F2150
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F715013_2_067F7150
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F714113_2_067F7141
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FB1B013_2_067FB1B0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0687A37813_2_0687A378
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0687534013_2_06875340
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_06899E9813_2_06899E98
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689DFD813_2_0689DFD8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689E88813_2_0689E888
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_06898CD813_2_06898CD8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689883013_2_06898830
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689004013_2_06890040
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689C59813_2_0689C598
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_068991F813_2_068991F8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_06899E8913_2_06899E89
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_068956C813_2_068956C8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689F63013_2_0689F630
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689A25013_2_0689A250
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689B66013_2_0689B660
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689DFC813_2_0689DFC8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689BFDB13_2_0689BFDB
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689BFE813_2_0689BFE8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689D70113_2_0689D701
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689D71013_2_0689D710
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_06899F4A13_2_06899F4A
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689F36013_2_0689F360
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_06898CC813_2_06898CC8
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689CCDF13_2_0689CCDF
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0689C58813_2_0689C588
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_068991E813_2_068991E8
                  Source: SAMPLE ORDER pdf.exeBinary or memory string: OriginalFilename vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.426474115.000000000D370000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.426474115.000000000D370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.425736433.0000000007560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.426298065.000000000D270000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.411034630.0000000002A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.416312969.0000000002D7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIoNPSwavOXOMnqfenKWnBrmzEJyUbjHuOXvnJ.exe4 vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000000.00000002.425977553.0000000007720000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exeBinary or memory string: OriginalFilename vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659285564.0000000006090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.646072858.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.645151885.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIoNPSwavOXOMnqfenKWnBrmzEJyUbjHuOXvnJ.exe4 vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659145633.0000000006040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.658247639.00000000050F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exe, 00000005.00000002.659238387.0000000006060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exeBinary or memory string: OriginalFilenameqN4.exe( vs SAMPLE ORDER pdf.exe
                  Source: SAMPLE ORDER pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: CWGcQKxFZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: YYtJku.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/8@2/3
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile created: C:\Users\user\AppData\Roaming\CWGcQKxFZ.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8420.tmpJump to behavior
                  Source: SAMPLE ORDER pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: SAMPLE ORDER pdf.exeVirustotal: Detection: 41%
                  Source: SAMPLE ORDER pdf.exeReversingLabs: Detection: 22%
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile read: C:\Users\user\Desktop\SAMPLE ORDER pdf.exe:Zone.IdentifierJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SAMPLE ORDER pdf.exe 'C:\Users\user\Desktop\SAMPLE ORDER pdf.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\Desktop\SAMPLE ORDER pdf.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp3EF4.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp60A5.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess created: C:\Users\user\Desktop\SAMPLE ORDER pdf.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp3EF4.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp60A5.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: SAMPLE ORDER pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SAMPLE ORDER pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Data Obfuscation:

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)Show sources
                  Source: SAMPLE ORDER pdf.exe, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: CWGcQKxFZ.exe.0.dr, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 0.2.SAMPLE ORDER pdf.exe.690000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 0.0.SAMPLE ORDER pdf.exe.690000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: YYtJku.exe.5.dr, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 5.0.SAMPLE ORDER pdf.exe.6f0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 5.2.SAMPLE ORDER pdf.exe.6f0000.1.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 9.2.YYtJku.exe.730000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 9.0.YYtJku.exe.730000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 10.0.YYtJku.exe.440000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 10.2.YYtJku.exe.440000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 13.2.YYtJku.exe.e30000.1.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  Source: 13.0.YYtJku.exe.e30000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                  .NET source code contains potential unpackerShow sources
                  Source: SAMPLE ORDER pdf.exe, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: CWGcQKxFZ.exe.0.dr, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.SAMPLE ORDER pdf.exe.690000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.SAMPLE ORDER pdf.exe.690000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: YYtJku.exe.5.dr, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.SAMPLE ORDER pdf.exe.6f0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.2.SAMPLE ORDER pdf.exe.6f0000.1.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 9.2.YYtJku.exe.730000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 9.0.YYtJku.exe.730000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.0.YYtJku.exe.440000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.2.YYtJku.exe.440000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 13.2.YYtJku.exe.e30000.1.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 13.0.YYtJku.exe.e30000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_00E4F8E4 pushfd ; iretd 0_2_00E4F8E5
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 0_2_00E4F810 push esp; iretd 0_2_00E4F811
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06055FE8 push esp; retf 5_2_06055FF5
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06050BA4 push eax; retf 5_2_06050BA5
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_06050BD0 push ss; iretd 5_2_06050BD1
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_0605912A push eax; retf 5_2_06059132
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E96C2 push ebp; ret 5_2_064E96C3
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E96D4 push ecx; ret 5_2_064E96D5
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E96B2 push ebp; ret 5_2_064E96B3
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E8556 push es; ret 5_2_064E856C
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeCode function: 5_2_064E8A61 push es; ret 5_2_064E8A70
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00EEF8E4 pushfd ; iretd 9_2_00EEF8E5
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00EEF810 push esp; iretd 9_2_00EEF811
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070627AA push 91FFFFFEh; ret 9_2_070627AF
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_070661E6 push esi; iretd 9_2_070661E7
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A7363F push es; ret 10_2_06A73640
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A727AA push 91FFFFFEh; ret 10_2_06A727AF
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 10_2_06A711C7 push es; ret 10_2_06A7120C
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FD7DB push es; iretd 13_2_067FD7E0
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F1C50 push es; ret 13_2_067F1C60
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F0508 push ss; iretd 13_2_067F0509
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067F6367 push 8BFFFFFFh; retf 13_2_067F636C
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_067FA0AF push es; iretd 13_2_067FA0B0
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.97185958344
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.97185958344
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.97185958344
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to dropped file
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile created: C:\Users\user\AppData\Roaming\CWGcQKxFZ.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CWGcQKxFZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp8420.tmp'
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | delete
                  Moves itself to temp directoryShow sources
                  Source: c:\users\user\desktop\sample order pdf.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG799.tmpJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SAMPLE ORDER pdf.exeProcess information set: NOOPENFILEERRORBOXJ