Loading ...

Play interactive tourEdit tour

Analysis Report Fatura #U00f6dem(finial invoice.SOA_pdf.exe

Overview

General Information

Sample Name:Fatura #U00f6dem(finial invoice.SOA_pdf.exe
Analysis ID:299590
MD5:48a6a295b4fb88ac9523f7a55379a3b7
SHA1:129f91cde6da0ae37147ba33cc74e05986a0f303
SHA256:806139746512dd321b595ce4283f32de1d6862730d2ef4260c796f88ebb5c06c
Tags:AgentTeslaexegeoTUR

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Fatura #U00f6dem(finial invoice.SOA_pdf.exe (PID: 6784 cmdline: 'C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe' MD5: 48A6A295B4FB88AC9523F7A55379A3B7)
    • Fatura #U00f6dem(finial invoice.SOA_pdf.exe (PID: 6868 cmdline: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe MD5: 48A6A295B4FB88AC9523F7A55379A3B7)
      • netsh.exe (PID: 6544 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "c5ThBMVaYbw", "URL: ": "http://POEyLEHXTx9Ty.net", "To: ": "noekons@gmail.com", "ByHost: ": "mail.hospitalveterinariosur.com:587", "Password: ": "HchLmOYRzh", "From: ": "info@hospitalveterinariosur.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.500650740.0000000003408000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.499016680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.242790892.000000000304D000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Fatura #U00f6dem(finial invoice.SOA_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe, ParentImage: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe, ParentProcessId: 6868, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6544

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe.6868.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "c5ThBMVaYbw", "URL: ": "http://POEyLEHXTx9Ty.net", "To: ": "noekons@gmail.com", "ByHost: ": "mail.hospitalveterinariosur.com:587", "Password: ": "HchLmOYRzh", "From: ": "info@hospitalveterinariosur.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeReversingLabs: Detection: 16%
              Machine Learning detection for sampleShow sources
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeJoe Sandbox ML: detected
              Source: 1.2.Fatura #U00f6dem(finial invoice.SOA_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B89C88 CryptUnprotectData,1_2_06B89C88
              Source: global trafficTCP traffic: 192.168.2.3:49742 -> 78.142.63.55:587
              Source: Joe Sandbox ViewIP Address: 78.142.63.55 78.142.63.55
              Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
              Source: global trafficTCP traffic: 192.168.2.3:49742 -> 78.142.63.55:587
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
              Source: unknownDNS traffic detected: queries for: mail.hospitalveterinariosur.com
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501076326.0000000003561000.00000004.00000001.sdmpString found in binary or memory: http://POEyLEHXTx9Ty.net
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.505362662.0000000006BE0000.00000004.00000001.sdmpString found in binary or memory: http://apps.iden
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0C
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://hospitalveterinariosur.com
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://mail.hospitalveterinariosur.com
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.501143730.00000000035CA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.500835632.000000000348F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: initial sampleStatic PE information: Filename: Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_02FECFC80_2_02FECFC8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_02FE9BDC0_2_02FE9BDC
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E64680_2_063E6468
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063EB9E00_2_063EB9E0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E64590_2_063E6459
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E00060_2_063E0006
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E00400_2_063E0040
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E5AB00_2_063E5AB0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E5AA00_2_063E5AA0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E19320_2_063E1932
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA45401_2_05BA4540
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA8C201_2_05BA8C20
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA16101_2_05BA1610
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA11A81_2_05BA11A8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA52081_2_05BA5208
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA45321_2_05BA4532
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA8C111_2_05BA8C11
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA56321_2_05BA5632
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA16001_2_05BA1600
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA11981_2_05BA1198
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA90E01_2_05BA90E0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA90651_2_05BA9065
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_05BA93CB1_2_05BA93CB
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AA1FA81_2_06AA1FA8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AA25E01_2_06AA25E0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AAAAF01_2_06AAAAF0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AAE2381_2_06AAE238
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AABF081_2_06AABF08
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AAE7471_2_06AAE747
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AAE5851_2_06AAE585
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AAE2291_2_06AAE229
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B8C4D01_2_06B8C4D0
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B8DC201_2_06B8DC20
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B8A3A81_2_06B8A3A8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B8CD501_2_06B8CD50
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeBinary or memory string: OriginalFilename vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSKLWBxrcuohFBdTFqIBtrNsTgxbVlFetfwZjtM.exe4 vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000000.233747236.0000000000C62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameC2Ub.exe6 vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.247507659.0000000006290000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeBinary or memory string: OriginalFilename vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.499279468.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameSKLWBxrcuohFBdTFqIBtrNsTgxbVlFetfwZjtM.exe4 vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.505130846.0000000006AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.505737026.0000000007220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.499303642.0000000000FB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameC2Ub.exe6 vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.499500052.00000000011F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.504104189.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.505314141.0000000006B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeBinary or memory string: OriginalFilenameC2Ub.exe6 vs Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/2
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fatura #U00f6dem(finial invoice.SOA_pdf.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeReversingLabs: Detection: 16%
              Source: unknownProcess created: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe 'C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess created: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_02FEE8E0 push esp; iretd 0_2_02FEE8E1
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_02FEE940 pushfd ; iretd 0_2_02FEE949
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063EA506 push es; ret 0_2_063EA508
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E5246 push es; iretd 0_2_063E5248
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E502E push es; ret 0_2_063E5080
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E500A push es; ret 0_2_063E5080
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E505D push es; ret 0_2_063E5080
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E4136 push es; retf 0_2_063E4137
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E4EB2 push es; iretd 0_2_063E4F70
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 0_2_063E4D09 push es; retf 0_2_063E4D14
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AA72C5 push es; ret 1_2_06AA72C8
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AA79FF push edi; retn 0000h1_2_06AA7A01
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B83BAF push 8B000003h; iretd 1_2_06B83BB4
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06B849A7 push 8BFFFFFFh; retf 1_2_06B849AD
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68047720962
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.242790892.000000000304D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Fatura #U00f6dem(finial invoice.SOA_pdf.exe PID: 6784, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWindow / User API: threadDelayed 633Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 6788Thread sleep time: -51412s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 6816Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 2220Thread sleep count: 157 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 2220Thread sleep count: 633 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -54718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -45406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -45218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -88624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -44094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -61218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -74624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -37094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -35812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -67624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -33406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -33218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -31406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -31218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -60624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -30094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -59812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -88968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -88359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -87750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -86718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -86109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -85359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -84750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -84468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -84141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -83718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -55406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -82500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -81468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -81141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -80859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -79218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -51500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -76968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -73641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -68718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -68391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -66750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -65109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -63468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -63141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -61500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -59859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -57891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -56250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -54609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -45750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -44109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -58312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -56688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -55188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -54812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -53688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -53188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -52094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -51906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -51688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -51000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -50188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -47094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -45312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -44906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -44000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -43188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -41188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -37906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -37688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -37000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -36188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -35906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -35688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -33312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -31312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -30906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -30688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe TID: 1744Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeLast function: Thread delayed
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000001.00000002.505362662.0000000006BE0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Fatura #U00f6dem(finial invoice.SOA_pdf.exe, 00000000.00000002.242665617.0000000003001000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeCode function: 1_2_06AADE60 LdrInitializeThunk,1_2_06AADE60
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeMemory written: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeProcess created: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Fatura #U00f6dem(finial invoice.SOA_pdf.exe<