Loading ...

Play interactive tourEdit tour

Windows Analysis Report 20220114080343434.pdf.exe

Overview

General Information

Sample Name:20220114080343434.pdf.exe
Analysis ID:553218
MD5:cd9290d22bb18ced32a1b81814888382
SHA1:83b1ce896dca71d611232fe4197cbe3993cccf64
SHA256:3876b600bafaaaf0a580e3925b9851c1c82ea16b40fb6b2b127296a523cf86fd
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 20220114080343434.pdf.exe (PID: 4616 cmdline: "C:\Users\user\Desktop\20220114080343434.pdf.exe" MD5: CD9290D22BB18CED32A1B81814888382)
    • RegSvcs.exe (PID: 6500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 1496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.20220114080343434.pdf.exe.3edcc90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.20220114080343434.pdf.exe.3edcc90.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.20220114080343434.pdf.exe.3e74280.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.20220114080343434.pdf.exe.3e74280.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6500
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6500

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.20220114080343434.pdf.exe.3edcc90.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}
                      Source: RegSvcs.exe.1496.8.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}
                      Machine Learning detection for sampleShow sources
                      Source: 20220114080343434.pdf.exeJoe Sandbox ML: detected
                      Source: 8.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d77ee3312256Host: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://UeFrqT.com
                      Source: RegSvcs.exe, 00000008.00000002.557264398.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: RegSvcs.exe, 00000008.00000002.558576320.00000000065C8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: RegSvcs.exe, 00000008.00000002.558576320.00000000065C8000.00000004.00000001.sdmpString found in binary or memory: http://crl.veris
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283885811.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283942441.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283961213.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286760496.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286824795.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286816564.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286767765.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286924962.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286942039.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.289190210.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289318058.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289093184.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289252588.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289143103.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288858385.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288983388.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289034401.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comesS
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u/
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286962308.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comuy
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290845442.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291923026.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/d
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291515061.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291556929.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291697526.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291598283.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291473881.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291757927.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291647210.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.$
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmld
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291078110.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290998503.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291023701.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292082396.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comiv
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn9
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286148512.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286200312.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTC
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.295330398.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295411677.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/denHp
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295250238.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295200642.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNp
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmSw
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.micro.
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282926493.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283849906.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283794895.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comW
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krr-t
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kru-hX
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5v
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net(
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284128821.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netiv
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.292550293.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dec
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dedc
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dem
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286803625.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne&
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocumentdocument-----
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: RegSvcs.exe, 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmpString found in binary or memory: https://xXcVm5kmD6Gyza.org
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://xXcVm5kmD6Gyza.org(
                      Source: unknownHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d77ee3312256Host: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311203434.0000000000F48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 20220114080343434.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138CA140_2_0138CA14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138EE700_2_0138EE70
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138EE600_2_0138EE60
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074480E00_2_074480E0
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07440B140_2_07440B14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074400400_2_07440040
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074400350_2_07440035
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074480D00_2_074480D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F1FE08_2_015F1FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F26188_2_015F2618
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FF2F58_2_015FF2F5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FD2E08_2_015FD2E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FB1188_2_015FB118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F9DB88_2_015F9DB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FE0008_2_015FE000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F65208_2_017F6520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F7D908_2_017F7D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F93B88_2_017F93B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F43A88_2_017F43A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F16208_2_017F1620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F76E08_2_017F76E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F1DC88_2_017F1DC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017FA86E8_2_017FA86E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017FA8D08_2_017FA8D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F1E688_2_017F1E68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_058247A08_2_058247A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_058247908_2_05824790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_058247738_2_05824773
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0582D6608_2_0582D660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05823CEF8_2_05823CEF
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilename vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320650494.00000000072C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000000.280755361.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311203434.0000000000F48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\20220114080343434.pdf.exe "C:\Users\user\Desktop\20220114080343434.pdf.exe"
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20220114080343434.pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/2
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\EwKDsJegaFtJBPaA
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07441B5D push edi; retf 0_2_07441B66
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F1F32 push es; ret 8_2_015F1F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F7A37 push edi; retn 0000h8_2_015F7A39
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F60F0 push es; ret 8_2_017F6100
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23442041847

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: 20220114080343434.pdf.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to