Loading ...

Play interactive tourEdit tour

Windows Analysis Report 20220114080343434.pdf.exe

Overview

General Information

Sample Name:20220114080343434.pdf.exe
Analysis ID:553186
MD5:cd9290d22bb18ced32a1b81814888382
SHA1:83b1ce896dca71d611232fe4197cbe3993cccf64
SHA256:3876b600bafaaaf0a580e3925b9851c1c82ea16b40fb6b2b127296a523cf86fd
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 20220114080343434.pdf.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\20220114080343434.pdf.exe" MD5: CD9290D22BB18CED32A1B81814888382)
    • RegSvcs.exe (PID: 6540 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.558557812.000000000344E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000000.304424534.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000000.304424534.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000009.00000000.303933701.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000000.303933701.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.20220114080343434.pdf.exe.28df808.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              9.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    9.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 7036, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6540
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 7036, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6540

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 9.0.RegSvcs.exe.400000.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}
                      Source: 20220114080343434.pdf.exe.7036.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}
                      Machine Learning detection for sampleShow sources
                      Source: 20220114080343434.pdf.exeJoe Sandbox ML: detected
                      Source: 9.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49834 version: TLS 1.2
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d7774673e43dHost: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://UeFrqT.com
                      Source: RegSvcs.exe, 00000009.00000002.558692920.00000000034B8000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: RegSvcs.exe, 00000009.00000002.559897695.0000000006309000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.284299780.0000000005746000.00000004.00000001.sdmpString found in binary or memory: http://en.wE
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.283895234.0000000005763000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.283933561.0000000005763000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000009.00000002.558653484.00000000034A5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.286721278.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286779303.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.296024006.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296414694.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296538249.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalict
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291333441.000000000574C000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291019852.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291333441.000000000574C000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291019852.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd1
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdf
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291333441.000000000574C000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291019852.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.296414694.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308506043.0000000005740000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296538249.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.296414694.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308506043.0000000005740000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296538249.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.296024006.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296414694.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308506043.0000000005740000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.296538249.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsivo
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt:
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291333441.000000000574C000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.292482669.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtoTF
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291433983.000000000574E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtto
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.291064337.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291333441.000000000574C000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.291019852.000000000574C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuet:
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.285876732.0000000005747000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285978096.0000000005748000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286031416.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.285978096.0000000005748000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncr;
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.286031416.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.285978096.0000000005748000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnres
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.285876732.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.286031416.0000000005747000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-h
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288192818.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288316807.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287443277.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288192818.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288316807.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287443277.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//ft
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288192818.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288316807.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288192818.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288316807.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/#
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288192818.000000000574D000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288316807.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.287443277.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oby
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.284070173.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285161013.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285111629.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285961664.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285793517.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285293155.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285058740.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284214946.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284952732.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286439640.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286763266.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285399043.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287251981.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287529116.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284121975.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284933681.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285324514.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285374134.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284765543.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285354419.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284255106.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285420297.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287326441.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287434034.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285188900.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286611235.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285434027.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287159497.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286188290.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285233567.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285483737.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284391361.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286700925.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284980871.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284169771.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284313551.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285598966.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284902558.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286321696.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285564698.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287504784.000000000575B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.284070173.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285161013.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285111629.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285961664.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285793517.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285293155.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285058740.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284214946.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284952732.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286439640.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286763266.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285399043.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287251981.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287529116.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284121975.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284933681.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285324514.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285374134.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284765543.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285354419.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284255106.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285420297.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287326441.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287434034.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285188900.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286611235.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285434027.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287159497.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286188290.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285233567.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285483737.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284391361.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286700925.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284980871.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284169771.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284313551.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285598966.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284902558.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286321696.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285564698.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287504784.000000000575B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.285161013.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285111629.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285961664.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285793517.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285293155.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285058740.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284214946.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284952732.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286439640.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286763266.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285399043.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287251981.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287529116.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284933681.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285324514.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285374134.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284765543.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285354419.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284255106.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285420297.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287326441.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287434034.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285188900.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286611235.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285434027.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287159497.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286188290.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285233567.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285483737.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284391361.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286700925.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284980871.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284169771.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284313551.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285598966.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.284902558.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.286321696.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.285564698.000000000575B000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.287504784.000000000575B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeu
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288177309.0000000005774000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-iX
                      Source: 20220114080343434.pdf.exe, 00000001.00000003.288389703.0000000005774000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288343797.0000000005774000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288218703.0000000005774000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288177309.0000000005774000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000003.288293221.0000000005774000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comrmx
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.308765282.00000000069D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000009.00000002.558653484.00000000034A5000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306687989.00000000038B9000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.306874211.0000000003A0F000.00000004.00000001.sdmp, RegSvcs.exe, 00000009.00000000.304424534.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000009.00000000.303119673.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/
                      Source: RegSvcs.exe, 00000009.00000002.558653484.00000000034A5000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocumentdocument-----
                      Source: RegSvcs.exe, 00000009.00000002.558653484.00000000034A5000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmp, RegSvcs.exe, 00000009.00000002.558692920.00000000034B8000.00000004.00000001.sdmpString found in binary or memory: https://mVBubsTSBV2T9Joj.org
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://mVBubsTSBV2T9Joj.org(
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306687989.00000000038B9000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000001.00000002.306874211.0000000003A0F000.00000004.00000001.sdmp, RegSvcs.exe, 00000009.00000000.304424534.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000009.00000000.303119673.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000009.00000002.558108982.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d7774673e43dHost: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49834 version: TLS 1.2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 20220114080343434.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 9.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 9.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 9.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 9.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 9.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 9.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_00F0CA141_2_00F0CA14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_00F0EE701_2_00F0EE70
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_00F0EE601_2_00F0EE60
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_07077F481_2_07077F48
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_07070B141_2_07070B14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_070700061_2_07070006
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_070700401_2_07070040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01471FE09_2_01471FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014726189_2_01472618
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0147D2E09_2_0147D2E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0147F2F59_2_0147F2F5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0147B1189_2_0147B118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0147E0009_2_0147E000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01478BF09_2_01478BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016865209_2_01686520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016849989_2_01684998
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01687D909_2_01687D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016893B89_2_016893B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016816209_2_01681620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016876E09_2_016876E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0168F1129_2_0168F112
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01681DC89_2_01681DC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0168A86E9_2_0168A86E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0168A8D09_2_0168A8D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01681E689_2_01681E68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0172C3489_2_0172C348
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_017277E09_2_017277E0
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilename vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306278830.00000000028B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306687989.00000000038B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000000.281900861.0000000000382000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.309873085.0000000006EF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306874211.0000000003A0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000001.00000002.306874211.0000000003A0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\20220114080343434.pdf.exe "C:\Users\user\Desktop\20220114080343434.pdf.exe"
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20220114080343434.pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\EwKDsJegaFtJBPaA
                      Source: 9.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.20220114080343434.pdf.exe.380000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.20220114080343434.pdf.exe.380000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 1.2.20220114080343434.pdf.exe.380000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 1.0.20220114080343434.pdf.exe.380000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_00F06A19 push A0380289h; iretd 1_2_00F06A1E
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 1_2_07071B5D push edi; retf 1_2_07071B66
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01471F32 push es; ret 9_2_01471F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01477A37 push edi; retn 0000h9_2_01477A39
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016860F0 push es; ret 9_2_01686100
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23442041847

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: 20220114080343434.pdf.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Reg