Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sat#U0131nalma Sipari#U015fi -AR95647,pdf.scr

Overview

General Information

Sample Name:Sat#U0131nalma Sipari#U015fi -AR95647,pdf.scr (renamed file extension from scr to exe)
Analysis ID:562452
MD5:43c383d252b3385d4eaa21e4eccbf244
SHA1:9bff9ef837f3b1742859b0ff14528c59ef87b0f0
SHA256:fa51b3b1d130a540d92f8864a6daeb74b25a3b34306dd2d0d61e4a24c4ad5744
Tags:AgentTeslaexegeoscrTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30db1:$s1: get_kbok
                • 0x316e5:$s2: get_CHoo
                • 0x32340:$s3: set_passwordIsSet
                • 0x30bb5:$s4: get_enableLog
                • 0x3525f:$s8: torbrowser
                • 0x33c3b:$s10: logins
                • 0x335b3:$s11: credential
                • 0x2ff9d:$g1: get_Clipboard
                • 0x2ffab:$g2: get_Keyboard
                • 0x2ffb8:$g3: get_Password
                • 0x31593:$g4: get_CtrlKeyDown
                • 0x315a3:$g5: get_ShiftKeyDown
                • 0x315b4:$g6: get_AltKeyDown
                5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 29 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
                    Multi AV Scanner detection for submitted file
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeVirustotal: Detection: 35%Perma Link
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeReversingLabs: Detection: 35%
                    Antivirus detection for URL or domain
                    Source: http://agusanplantation.comAvira URL Cloud: Label: malware
                    Source: https://agusanplantation.comAvira URL Cloud: Label: malware
                    Source: https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php127.0.0.1POSTAvira URL Cloud: Label: malware
                    Source: https://agusanplantation.com/udo/udo/inc/0315179f2c9558.phpAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: agusanplantation.comVirustotal: Detection: 10%Perma Link
                    Machine Learning detection for sample
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeJoe Sandbox ML: detected
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: unknownHTTPS traffic detected: 198.251.89.144:443 -> 192.168.2.3:49768 version: TLS 1.2
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: UnicodeDataHead.pdb source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZzSQGD.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568890784.0000000003156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agusanplantation.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.569495103.0000000006D39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agusanplantation.com
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php127.0.0.1POST
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agusanplantation.com4
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: agusanplantation.com
                    Source: unknownHTTPS traffic detected: 198.251.89.144:443 -> 192.168.2.3:49768 version: TLS 1.2
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.26fdaa4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.277dca0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6844, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA4AF0B36u002dA4A7u002d48ABu002dBDFFu002dE34FFE219803u007d/C21C6C61u002d8C0Fu002d4B51u002d810Cu002d8C2933130742.csLarge array initialization: .cctor: array initializer size 12032
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bA4AF0B36u002dA4A7u002d48ABu002dBDFFu002dE34FFE219803u007d/C21C6C61u002d8C0Fu002d4B51u002d810Cu002d8C2933130742.csLarge array initialization: .cctor: array initializer size 12032
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.26fdaa4.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.277dca0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6844, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 1_2_0784170E1_2_0784170E
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E847A05_2_02E847A0
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E83CCC5_2_02E83CCC
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E847905_2_02E84790
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E847725_2_02E84772
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E847525_2_02E84752
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E847305_2_02E84730
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E8D6615_2_02E8D661
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 5_2_02E854925_2_02E85492
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepYVEAnKhpJWUxTGSDkJeZvUJbWJzQYTCpvcc.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.380091504.0000000000298000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnicodeDataHead.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381596433.000000000270C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUnicodeDataHead.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381596433.000000000270C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381596433.000000000270C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &i,\\StringFileInfo\\000004B0\\OriginalFilename vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepYVEAnKhpJWUxTGSDkJeZvUJbWJzQYTCpvcc.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.385624661.00000000076D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.372142387.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnicodeDataHead.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568203571.000000000145A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepYVEAnKhpJWUxTGSDkJeZvUJbWJzQYTCpvcc.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeBinary or memory string: OriginalFilenameUnicodeDataHead.exe4 vs Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeVirustotal: Detection: 35%
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeReversingLabs: Detection: 35%
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeFile read: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe:Zone.IdentifierJump to behavior
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe"
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess created: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess created: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@1/2
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.5.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.5.unpack, cz/iN.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: UnicodeDataHead.pdb source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 1.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.5.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.11.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.13.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.7.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.3.unpack, po/hP.cs.Net Code: QpI System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 1.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.1c0000.0.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.5.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.11.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.13.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.7.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.cd0000.3.unpack, cz/iN.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeCode function: 1_2_0784BB6D push FFFFFF8Bh; iretd 1_2_0784BB6F
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.26fdaa4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.277dca0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6984, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe TID: 6988Thread sleep time: -39067s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe TID: 4540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe TID: 3120Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe TID: 1068Thread sleep count: 3759 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe TID: 1068Thread sleep count: 6089 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWindow / User API: threadDelayed 3759Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWindow / User API: threadDelayed 6089Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeThread delayed: delay time: 39067Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568321218.00000000014FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                    Source: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeMemory written: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeProcess created: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.567660586.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.372540423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.369389266.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6844, type: MEMORYSTR
                    Source: Yara matchFile source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6844, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.3716000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.374c220.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.567660586.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.372540423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.369389266.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe PID: 6844, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping211
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium12
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Clipboard Data                    		Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Obfuscated Files or Information                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe35%VirustotalBrowse
                    Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe36%ReversingLabsByteCode-MSIL.Trojan.DarkStealerLoader
                    Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.2.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    agusanplantation.com11%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://blog.iandreev.com/0%VirustotalBrowse
                    http://blog.iandreev.com/0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://agusanplantation.com40%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://blog.iandreev.com0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://ZzSQGD.com0%Avira URL Cloudsafe
                    http://agusanplantation.com100%Avira URL Cloudmalware
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    https://agusanplantation.com100%Avira URL Cloudmalware
                    https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php127.0.0.1POST100%Avira URL Cloudmalware
                    https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php100%Avira URL Cloudmalware
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    agusanplantation.com
                    		198.251.89.144
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://DynDns.comDynDNSSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://blog.iandreev.com/Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://agusanplantation.com4Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://blog.iandreev.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ZzSQGD.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://agusanplantation.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568890784.0000000003156000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.carterandcone.comlSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://agusanplantation.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://agusanplantation.com/udo/udo/inc/0315179f2c9558.php127.0.0.1POSTSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://agusanplantation.com/udo/udo/inc/0315179f2c9558.phpSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org%GETMozilla/5.0Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://www.fonts.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000002.568858553.0000000003138000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.384224185.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe, 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          198.251.89.144
                                          		agusanplantation.comUnited States
                                          		53667PONYNETUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:562452
                                          Start date:28.01.2022
                                          Start time:22:09:51
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 33s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:Sat#U0131nalma Sipari#U015fi -AR95647,pdf.scr (renamed file extension from scr to exe)
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:20
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@3/1@1/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 2.3% (good quality ratio 1.7%)
                                          • Quality average: 56.2%
                                          • Quality standard deviation: 40.1%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 35
                                          • Number of non-executed functions: 1
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 2.20.157.220
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          22:12:02API Interceptor425x Sleep call for process: Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          198.251.89.144cXzl3Ux97H.exeGet hashmaliciousBrowse
                                          • officialcomerce1.xyz/lee/receive.php?command=UGluZ2Vk&vicID=RDd0Sjd2XzlBOEU0NDBB

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          PONYNETUSKorpze1233121337.arm4Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.arm5Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.arm6Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.arm7Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.i586Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.i686Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          LBeT7V5WivGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.m68kGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.mipsGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.mpslGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.ppcGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.sh4Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.sparcGet hashmaliciousBrowse
                                          • 198.98.54.38
                                          Korpze1233121337.x86Get hashmaliciousBrowse
                                          • 198.98.54.38
                                          SecuriteInfo.com.Scr.Malcodegdn30.16628.exeGet hashmaliciousBrowse
                                          • 107.189.3.232
                                          SecuriteInfo.com.W64.MSIL_Agent.CDE.genEldorado.15807.exeGet hashmaliciousBrowse
                                          • 209.141.60.216
                                          hp.exeGet hashmaliciousBrowse
                                          • 209.141.60.216
                                          8AyH2CgnMK.exeGet hashmaliciousBrowse
                                          • 209.141.58.111
                                          nv.arm4Get hashmaliciousBrowse
                                          • 209.141.51.83
                                          nv.arm5Get hashmaliciousBrowse
                                          • 209.141.51.83

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eHalkbank,pdf.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          modmenu_by_1h#U0410ck.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          SNO22 PriceLetter595406_RACX-159814.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Diesel EXP.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Invoice4334567.htmGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          860e50.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          yt64cMMhTw.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          qgMcnt4meR.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          8MnPvBzj15jLYOx.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Invoice.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Attachments.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          #U266c VM_420419.htmGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          MEmu-setup-abroad-sdk.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          QuotePDF.vbsGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Divit-RekutPO260122.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          conocimiento de embarque y factura comercial.XLSx.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          Attachments.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          nueva lista de pedidos n.#U00ba 002622.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          EasyCheat.exeGet hashmaliciousBrowse
                                          • 198.251.89.144
                                          e83EtnbjDD.exeGet hashmaliciousBrowse
                                          • 198.251.89.144

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.597778252697803
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                                          File size:869376
                                          MD5:43c383d252b3385d4eaa21e4eccbf244
                                          SHA1:9bff9ef837f3b1742859b0ff14528c59ef87b0f0
                                          SHA256:fa51b3b1d130a540d92f8864a6daeb74b25a3b34306dd2d0d61e4a24c4ad5744
                                          SHA512:dedba6a609fc9143e837d59eff3179e80968f85db5e469ec330b64789c9be9d9725f7a3c63f22d3ac2cf0b7a93e433214e21a6b85a4e0b58026d17094aab247b
                                          SSDEEP:12288:qc7oo9xqQNl9qY4DeOxRRqu+bfYE8Q25GWVy1vw:qckovfNDqY4ykRRqujd3Gey
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................6...........T... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4d54ee
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F3C3C0 [Fri Jan 28 10:21:52 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd54a00x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x5c0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xd544e0x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xd34f40xd3600False0.522019145476data6.6031194739IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .sdata0xd60000x1e80x200False0.861328125data6.62066080555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .rsrc0xd80000x5c00x600False0.427734375data4.11400581254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xd80a00x334data
                                          RT_MANIFEST0xd83d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2016
                                          Assembly Version1.0.0.0
                                          InternalNameUnicodeDataHead.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameOthelloCS
                                          ProductVersion1.0.0.0
                                          FileDescriptionOthelloCS
                                          OriginalFilenameUnicodeDataHead.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 28, 2022 22:12:55.389868975 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:12:55.389926910 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:12:55.390032053 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:12:55.866844893 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:12:55.866872072 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:12:55.989129066 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:12:55.989315033 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:12:55.994330883 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:12:55.994343996 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:12:55.994638920 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:12:56.163947105 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:13:00.564177990 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:13:00.564737082 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:13:00.564790964 CET44349768198.251.89.144192.168.2.3
                                          Jan 28, 2022 22:13:00.564837933 CET49768443192.168.2.3198.251.89.144
                                          Jan 28, 2022 22:13:00.564867973 CET49768443192.168.2.3198.251.89.144

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 28, 2022 22:12:54.916333914 CET6082353192.168.2.38.8.8.8
                                          Jan 28, 2022 22:12:54.978343964 CET53608238.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 28, 2022 22:12:54.916333914 CET192.168.2.38.8.8.80x38e3Standard query (0)agusanplantation.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 28, 2022 22:12:54.978343964 CET8.8.8.8192.168.2.30x38e3No error (0)agusanplantation.com198.251.89.144A (IP address)IN (0x0001)

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:1
                                          Start time:22:11:33
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe"
                                          Imagebase:0x1c0000
                                          File size:869376 bytes
                                          MD5 hash:43C383D252B3385D4EAA21E4ECCBF244
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.381669718.0000000002769000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.381542855.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.382042190.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:5
                                          Start time:22:12:04
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe
                                          Imagebase:0xcd0000
                                          File size:869376 bytes
                                          MD5 hash:43C383D252B3385D4EAA21E4ECCBF244
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.368811093.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.370441082.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.567660586.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.567660586.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000005.00000002.568744346.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.372540423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.372540423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.369389266.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.369389266.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:89
                                            Total number of Limit Nodes:3
                                            execution_graph 7058 7848d44 7059 7848d51 7058->7059 7063 7847470 7059->7063 7067 7847468 7059->7067 7060 7848f56 7064 7847477 WriteProcessMemory 7063->7064 7066 784750f 7064->7066 7066->7060 7068 784746e WriteProcessMemory 7067->7068 7070 784750f 7068->7070 7070->7060 7071 7849b40 7072 7849ccb 7071->7072 7074 7849b66 7071->7074 7074->7072 7075 784634c 7074->7075 7076 7849dc0 PostMessageW 7075->7076 7077 7849e2c 7076->7077 7077->7074 7078 784900c 7083 7847560 7078->7083 7087 7847558 7078->7087 7079 78490b4 7080 7848faf 7080->7078 7080->7079 7084 7847567 ReadProcessMemory 7083->7084 7086 78475ef 7084->7086 7086->7080 7088 7847560 ReadProcessMemory 7087->7088 7090 78475ef 7088->7090 7090->7080 7091 784928d 7092 7849298 7091->7092 7093 7848d57 7092->7093 7104 7847470 WriteProcessMemory 7092->7104 7105 7847468 WriteProcessMemory 7092->7105 7098 7847470 WriteProcessMemory 7093->7098 7099 7847468 WriteProcessMemory 7093->7099 7128 7849908 7093->7128 7133 78498f7 7093->7133 7094 7849341 7095 7849410 7094->7095 7096 7849128 7094->7096 7118 7849a40 7095->7118 7123 7849a2f 7095->7123 7108 7849aa0 7096->7108 7113 7849ab0 7096->7113 7097 784919e 7098->7093 7099->7093 7104->7094 7105->7094 7109 7849aca 7108->7109 7138 7847221 7109->7138 7142 7847228 7109->7142 7110 7849af9 7110->7097 7114 7849aca 7113->7114 7116 7847221 ResumeThread 7114->7116 7117 7847228 ResumeThread 7114->7117 7115 7849af9 7115->7097 7116->7115 7117->7115 7119 7849a5a 7118->7119 7146 78472d1 7119->7146 7150 78472d8 7119->7150 7120 7849a8c 7120->7093 7124 7849a40 7123->7124 7126 78472d1 SetThreadContext 7124->7126 7127 78472d8 SetThreadContext 7124->7127 7125 7849a8c 7125->7093 7126->7125 7127->7125 7129 7849922 7128->7129 7131 78472d1 SetThreadContext 7129->7131 7132 78472d8 SetThreadContext 7129->7132 7130 7849954 7130->7093 7131->7130 7132->7130 7134 7849908 7133->7134 7136 78472d1 SetThreadContext 7134->7136 7137 78472d8 SetThreadContext 7134->7137 7135 7849954 7135->7093 7136->7135 7137->7135 7139 7847268 ResumeThread 7138->7139 7141 7847299 7139->7141 7141->7110 7143 7847268 ResumeThread 7142->7143 7145 7847299 7143->7145 7145->7110 7147 78472d8 SetThreadContext 7146->7147 7149 7847365 7147->7149 7149->7120 7151 78472df SetThreadContext 7150->7151 7153 7847365 7151->7153 7153->7120 7154 7848fbf 7158 78473b0 7154->7158 7162 78473a8 7154->7162 7155 7848fdd 7159 78473b7 VirtualAllocEx 7158->7159 7161 784742d 7159->7161 7161->7155 7163 78473b0 VirtualAllocEx 7162->7163 7165 784742d 7163->7165 7165->7155 7166 7848c38 7167 7848c51 7166->7167 7175 78476ed 7167->7175 7179 78476f8 7167->7179 7176 78476f8 CreateProcessA 7175->7176 7178 7847943 7176->7178 7180 78476ff CreateProcessA 7179->7180 7182 7847943 7180->7182

                                            Executed Functions

                                            Function 078476ED Relevance: 1.8, APIs: 1, Instructions: 254processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 85 78476ed-78476f6 86 78476ff-784778d 85->86 87 78476f8-78476fe 85->87 89 78477c6-78477e6 86->89 90 784778f-7847799 86->90 87->86 97 784781f-784784e 89->97 98 78477e8-78477f2 89->98 90->89 91 784779b-784779d 90->91 92 78477c0-78477c3 91->92 93 784779f-78477a9 91->93 92->89 95 78477ad-78477bc 93->95 96 78477ab 93->96 95->95 100 78477be 95->100 96->95 106 7847887-7847941 CreateProcessA 97->106 107 7847850-784785a 97->107 98->97 99 78477f4-78477f6 98->99 101 78477f8-7847802 99->101 102 7847819-784781c 99->102 100->92 104 7847804 101->104 105 7847806-7847815 101->105 102->97 104->105 105->105 108 7847817 105->108 118 7847943-7847949 106->118 119 784794a-78479d0 106->119 107->106 109 784785c-784785e 107->109 108->102 111 7847860-784786a 109->111 112 7847881-7847884 109->112 113 784786c 111->113 114 784786e-784787d 111->114 112->106 113->114 114->114 116 784787f 114->116 116->112 118->119 129 78479e0-78479e4 119->129 130 78479d2-78479d6 119->130 132 78479f4-78479f8 129->132 133 78479e6-78479ea 129->133 130->129 131 78479d8 130->131 131->129 134 7847a08-7847a0c 132->134 135 78479fa-78479fe 132->135 133->132 136 78479ec 133->136 138 7847a1e-7847a25 134->138 139 7847a0e-7847a14 134->139 135->134 137 7847a00 135->137 136->132 137->134 140 7847a27-7847a36 138->140 141 7847a3c 138->141 139->138 140->141 143 7847a3d 141->143 143->143
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0784792E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 7733dd6f7185bcf1ffb58f6534dab841a108a1de44b0eacb720ac9a686d6f787
                                            • Instruction ID: 4f6c34eac2c482d3dea45105960331a664329d513a1c7fda6465d8f718cd50e2
                                            • Opcode Fuzzy Hash: 7733dd6f7185bcf1ffb58f6534dab841a108a1de44b0eacb720ac9a686d6f787
                                            • Instruction Fuzzy Hash: 5FA14AB1D002199FDB14CFA9CC817EDBBB2BF58314F1485A9D819E7240DBB49985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 078476F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 144 78476f8-784778d 147 78477c6-78477e6 144->147 148 784778f-7847799 144->148 155 784781f-784784e 147->155 156 78477e8-78477f2 147->156 148->147 149 784779b-784779d 148->149 150 78477c0-78477c3 149->150 151 784779f-78477a9 149->151 150->147 153 78477ad-78477bc 151->153 154 78477ab 151->154 153->153 158 78477be 153->158 154->153 164 7847887-7847941 CreateProcessA 155->164 165 7847850-784785a 155->165 156->155 157 78477f4-78477f6 156->157 159 78477f8-7847802 157->159 160 7847819-784781c 157->160 158->150 162 7847804 159->162 163 7847806-7847815 159->163 160->155 162->163 163->163 166 7847817 163->166 176 7847943-7847949 164->176 177 784794a-78479d0 164->177 165->164 167 784785c-784785e 165->167 166->160 169 7847860-784786a 167->169 170 7847881-7847884 167->170 171 784786c 169->171 172 784786e-784787d 169->172 170->164 171->172 172->172 174 784787f 172->174 174->170 176->177 187 78479e0-78479e4 177->187 188 78479d2-78479d6 177->188 190 78479f4-78479f8 187->190 191 78479e6-78479ea 187->191 188->187 189 78479d8 188->189 189->187 192 7847a08-7847a0c 190->192 193 78479fa-78479fe 190->193 191->190 194 78479ec 191->194 196 7847a1e-7847a25 192->196 197 7847a0e-7847a14 192->197 193->192 195 7847a00 193->195 194->190 195->192 198 7847a27-7847a36 196->198 199 7847a3c 196->199 197->196 198->199 201 7847a3d 199->201 201->201
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0784792E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 0cbf92bc01bf5c8b87dda91b16f13643e6796a5c181af35a7c30caf1306dcdae
                                            • Instruction ID: 66d9d08844e15ed33f7b4feab8b81a424b6ab29be7d25370fc1f5b74043dfce8
                                            • Opcode Fuzzy Hash: 0cbf92bc01bf5c8b87dda91b16f13643e6796a5c181af35a7c30caf1306dcdae
                                            • Instruction Fuzzy Hash: 77914AB1D00219CFDB14CFA9C8817EEBBB2BF58314F1485A9D819E7240DBB49985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847468 Relevance: 1.6, APIs: 1, Instructions: 79injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 202 7847468-784746c 203 784747d-78474be 202->203 204 784746e 202->204 208 78474c0-78474cc 203->208 209 78474ce-784750d WriteProcessMemory 203->209 205 7847477-784747b 204->205 206 7847470-7847476 204->206 205->203 206->205 208->209 211 7847516-7847546 209->211 212 784750f-7847515 209->212 212->211
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07847500
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 70d43877e79ceb7bdfcfaf95b9508f4c45000903ad7265540e978ec6e5710119
                                            • Instruction ID: 43484d29c2ef6dd5ea25792d8e9e5a47976cfabf1bd8bfdfcc748f9a531d68f6
                                            • Opcode Fuzzy Hash: 70d43877e79ceb7bdfcfaf95b9508f4c45000903ad7265540e978ec6e5710119
                                            • Instruction Fuzzy Hash: 663125B59003499FCB10CFA9D9857EEBBF5EF48324F10882AE958A7240D7B49945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847558 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 216 7847558-784755e 217 7847567-78475ed ReadProcessMemory 216->217 218 7847560-7847566 216->218 221 78475f6-7847626 217->221 222 78475ef-78475f5 217->222 218->217 222->221
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078475E0
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: d9f2b4cb496d6bd5ae36d0087982337e281428b0b53d65d648c7ec98e78c2fe1
                                            • Instruction ID: 3de3823fb465ed82d9201bf031be7a138059b2e6c4358f5ae08520ef4fc71ac4
                                            • Opcode Fuzzy Hash: d9f2b4cb496d6bd5ae36d0087982337e281428b0b53d65d648c7ec98e78c2fe1
                                            • Instruction Fuzzy Hash: C42137B19002099FCF10CFA9D8846EEBBF5FF58324F10882AD558A7240D775A905CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 078472D1 Relevance: 1.6, APIs: 1, Instructions: 71threadinjectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 226 78472d1-78472d6 227 78472df-7847323 226->227 228 78472d8-78472de 226->228 230 7847325-7847331 227->230 231 7847333-7847363 SetThreadContext 227->231 228->227 230->231 233 7847365-784736b 231->233 234 784736c-784739c 231->234 233->234
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 07847356
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 0acd80a1cbca83ef09e00590da97733230e3fd6212f3a86cec65839ac287b574
                                            • Instruction ID: 4b67c2346ca5af7145240841eb9fc364cb883b491435ef7679007d487303df1e
                                            • Opcode Fuzzy Hash: 0acd80a1cbca83ef09e00590da97733230e3fd6212f3a86cec65839ac287b574
                                            • Instruction Fuzzy Hash: 70217AB19002098FCB10CFA9C5857EEFBF5EF58324F54882AD519A7240C7789945CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847470 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 238 7847470-78474be 242 78474c0-78474cc 238->242 243 78474ce-784750d WriteProcessMemory 238->243 242->243 245 7847516-7847546 243->245 246 784750f-7847515 243->246 246->245
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07847500
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 5c4f5d3ee9b0f53fb28eadd5084ef681cc0f37084029a7f763b74042ecfcb013
                                            • Instruction ID: 73b0d51e5115a0ea1a1c54cd643d3b8f805b3a449ad200de1da288979bef6af1
                                            • Opcode Fuzzy Hash: 5c4f5d3ee9b0f53fb28eadd5084ef681cc0f37084029a7f763b74042ecfcb013
                                            • Instruction Fuzzy Hash: 792128B59003599FCB10CFA9C9857DEBBF5FF48314F10882AE919A7240D7749944CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847560 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 261 7847560-78475ed ReadProcessMemory 265 78475f6-7847626 261->265 266 78475ef-78475f5 261->266 266->265
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078475E0
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 1098d95a4bdf81b21088498f89e78596e3b83754d797c31464580233fb6cc2ef
                                            • Instruction ID: f1eb718a52f1a0e6b0e6348efc7bca1dc0178d4cc2b3d08996fc6d9bd288db82
                                            • Opcode Fuzzy Hash: 1098d95a4bdf81b21088498f89e78596e3b83754d797c31464580233fb6cc2ef
                                            • Instruction Fuzzy Hash: 56212AB18003099FCB10DFA9D9446DEFBF5FF48324F50882AD519A7250D7749944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 078472D8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 250 78472d8-7847323 253 7847325-7847331 250->253 254 7847333-7847363 SetThreadContext 250->254 253->254 256 7847365-784736b 254->256 257 784736c-784739c 254->257 256->257
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 07847356
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: e471c21878348369d776323e97941485b54e9cf77e63815df6ede6c2eda58db1
                                            • Instruction ID: 500b84e1666b44e942b366f4ee872b1e1baab4c8bd0e4911b95b133014800da6
                                            • Opcode Fuzzy Hash: e471c21878348369d776323e97941485b54e9cf77e63815df6ede6c2eda58db1
                                            • Instruction Fuzzy Hash: 4C213AB19003098FCB10DFAAC5847EEFBF4EF48324F54842AD559A7240DB78A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 078473A8 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 270 78473a8-78473ae 271 78473b7-784742b VirtualAllocEx 270->271 272 78473b0-78473b6 270->272 275 7847434-7847459 271->275 276 784742d-7847433 271->276 272->271 276->275
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0784741E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: dced62997718e4a6388c18dca2ecef6a833ef4e85c99b9a9ed79d43c8b77b1ff
                                            • Instruction ID: dadef0481afc7964116153622ef14de074a374bac0d039fb8525f676dd53e637
                                            • Opcode Fuzzy Hash: dced62997718e4a6388c18dca2ecef6a833ef4e85c99b9a9ed79d43c8b77b1ff
                                            • Instruction Fuzzy Hash: 67219AB28002489FCF10DFE9D844AEFBFF5AF58324F24881AD555A7210C7749904CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 078473B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 280 78473b0-784742b VirtualAllocEx 284 7847434-7847459 280->284 285 784742d-7847433 280->285 285->284
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0784741E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 4fb7089c87132510e29c27de539a1523328509a0cc87141ff3e36b2baf5d5825
                                            • Instruction ID: cf49098546787834d45aef78aacfc70f957ee9a4860dd54c7f4e67f043ce0edf
                                            • Opcode Fuzzy Hash: 4fb7089c87132510e29c27de539a1523328509a0cc87141ff3e36b2baf5d5825
                                            • Instruction Fuzzy Hash: 9E1156B19002089FCB10DFEAD8446EFBBF9AF88324F14881AD519A7210C775A944CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847221 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 289 7847221-7847297 ResumeThread 292 78472a0-78472c5 289->292 293 7847299-784729f 289->293 293->292
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: b6dc3ee01738df1327a207d837d394b8cce697ecf149107cfebf8b02d3689941
                                            • Instruction ID: e8d8a833d0355074c4338abba6320be7ccbe48a20a7e8d0e4213550a71662719
                                            • Opcode Fuzzy Hash: b6dc3ee01738df1327a207d837d394b8cce697ecf149107cfebf8b02d3689941
                                            • Instruction Fuzzy Hash: 581158B59002488FDB10DFAAD9447EFFBF5EB88324F14882AD51AA7600C774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07847228 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 297 7847228-7847297 ResumeThread 300 78472a0-78472c5 297->300 301 7847299-784729f 297->301 301->300
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: fd84c8e9064067afff8ea1f6d203fb07b6dba746ba5d4e37f39312cf14482a0a
                                            • Instruction ID: c5483e1a8ea84a3cceaa280d71e7437bfe02cfb02957cd8b63a2b3426c4f9114
                                            • Opcode Fuzzy Hash: fd84c8e9064067afff8ea1f6d203fb07b6dba746ba5d4e37f39312cf14482a0a
                                            • Instruction Fuzzy Hash: 411128B19003088FDB10DFAAD9457DFFBF9EB88324F14881AD519A7640D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0784634C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 305 784634c-7849e2a PostMessageW 307 7849e33-7849e47 305->307 308 7849e2c-7849e32 305->308 308->307
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07849E1D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: dcbbf505e7a0e9c5f15c8dcc02a091bdeebfedfe718ad3597e796c8819992d89
                                            • Instruction ID: 04102b883483d22c1c22fc810a2a54f80628c7ec9c4e781013c5d2d8b7164a6c
                                            • Opcode Fuzzy Hash: dcbbf505e7a0e9c5f15c8dcc02a091bdeebfedfe718ad3597e796c8819992d89
                                            • Instruction Fuzzy Hash: 581106B58007099FDB20DF99D849BDFBBF8EB58324F10885AE515A7700D3B4A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07849DB8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 310 7849db8-7849e2a PostMessageW 311 7849e33-7849e47 310->311 312 7849e2c-7849e32 310->312 312->311
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07849E1D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: d3c2b363318358f6da1948369f48025015967d0cb2b6251c5b97f54e9a149ca5
                                            • Instruction ID: 034ab4c2542e97a6aecc06c5e9e33d19c24cac96c40be193c456604971f98ae1
                                            • Opcode Fuzzy Hash: d3c2b363318358f6da1948369f48025015967d0cb2b6251c5b97f54e9a149ca5
                                            • Instruction Fuzzy Hash: 0411F5B58006499FDB20CF99D845BDFBFF4EB58324F14845AD958A3600C3B5A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0076D41C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380247337.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_76d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc4dc6d2ee9e73cb1c4d9eedc59e960469a5f74b34498640467029ebbec1ae01
                                            • Instruction ID: 8c5778a9ea56ccc6a8ffa3f6588c779612dad80966eb2a83a8ea7b10f613fd5a
                                            • Opcode Fuzzy Hash: fc4dc6d2ee9e73cb1c4d9eedc59e960469a5f74b34498640467029ebbec1ae01
                                            • Instruction Fuzzy Hash: 3A214871A00280DFCB20DF14D9C0B16BF65FB88324F24C5A8ED0A0B646CB3AEC45CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380290029.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_77d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a72c33e1fee07309b4c4f7a79f00ebc086d5949a1bbd844cd52558942fa3742
                                            • Instruction ID: 5fdab77a66389a8366afceb29e2b7b5124b25d8b47fd3a4600d45788cb1f1d5c
                                            • Opcode Fuzzy Hash: 0a72c33e1fee07309b4c4f7a79f00ebc086d5949a1bbd844cd52558942fa3742
                                            • Instruction Fuzzy Hash: 3D21D075604244DFCF24DF64D9C4B26BBB5EF88368F24C9A9D80D4B286C73ADC46CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0076D417 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380247337.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_76d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction ID: b98a3ce97ca6a150ab676145b7924715e5c896f22395784a9d93f0b1ba41fc9c
                                            • Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction Fuzzy Hash: D311B176904280DFCB21CF14D5C4B16BF72FB94324F28C6A9DC094B656C33AE85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077D017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380290029.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_77d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
                                            • Instruction ID: d5ca77ca509c8fdc636f635340d438d9a2f6da95ee8ffef7f80006703c65ca7a
                                            • Opcode Fuzzy Hash: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
                                            • Instruction Fuzzy Hash: E5118B75504280DFCB21CF14D6D4B15BBB1FB88324F28C6AAD8494B656C33AD85ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0076D7ED Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380247337.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_76d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f4f4d4439f7f1f9975443e9202a471699cb285457105d03fff628bb9e0b0bb1
                                            • Instruction ID: 9384d6c76fd2ab40aa8fbc6ae80d37afa213eeade8e21155a7ae75b225111293
                                            • Opcode Fuzzy Hash: 9f4f4d4439f7f1f9975443e9202a471699cb285457105d03fff628bb9e0b0bb1
                                            • Instruction Fuzzy Hash: 3D01D4319043459AD7304A55DC887A7FBDCEF81334F18C45AED0A5B242C77C9C44CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0076D7EC Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.380247337.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_76d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2dca8053e40166522a96adcccd08a4d0cac69936fe906d05eb1dc5568d591d1d
                                            • Instruction ID: 4b2d4c90323d862e145bcfb60a7100b29baf53c31912e104a12ec71664842bda
                                            • Opcode Fuzzy Hash: 2dca8053e40166522a96adcccd08a4d0cac69936fe906d05eb1dc5568d591d1d
                                            • Instruction Fuzzy Hash: F5F0C2718043449EE7208E06CDC8BA3FBD8EB81734F18C45EED185B286C3789C44CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0784170E Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.385971522.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7840000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: S$UUUU$a!<
                                            • API String ID: 0-3912612798
                                            • Opcode ID: bc96f9515e4ddecf8ae287b4f1a1f092d5925ee989abcc7c56c3fd8cb70ad38d
                                            • Instruction ID: 222bb73a1b58e3fd19f5552bd7c859c069e7bfae83186068f8e92418a9e52b37
                                            • Opcode Fuzzy Hash: bc96f9515e4ddecf8ae287b4f1a1f092d5925ee989abcc7c56c3fd8cb70ad38d
                                            • Instruction Fuzzy Hash: AE517F74E15628CBEBA4CFA9C880B8DBBF2AF44304F5485E9D11CE7205D7749A898F15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:10.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:82
                                            Total number of Limit Nodes:5
                                            execution_graph 13891 2e86e3a 13892 2e86dcb DuplicateHandle 13891->13892 13895 2e86e42 13891->13895 13894 2e86e0e 13892->13894 13809 2e8b680 13810 2e8b694 13809->13810 13813 2e8b8ca 13810->13813 13811 2e8b69d 13814 2e8b8d3 13813->13814 13819 2e8baac 13813->13819 13823 2e8bac6 13813->13823 13827 2e8b9b0 13813->13827 13831 2e8b99f 13813->13831 13814->13811 13820 2e8ba5f 13819->13820 13820->13819 13821 2e8baeb 13820->13821 13835 2e8bda9 13820->13835 13824 2e8bad9 13823->13824 13825 2e8baeb 13823->13825 13826 2e8bda9 2 API calls 13824->13826 13826->13825 13828 2e8b9f4 13827->13828 13829 2e8baeb 13828->13829 13830 2e8bda9 2 API calls 13828->13830 13830->13829 13832 2e8b9b0 13831->13832 13833 2e8baeb 13832->13833 13834 2e8bda9 2 API calls 13832->13834 13834->13833 13836 2e8bdc6 13835->13836 13840 2e8be08 13836->13840 13844 2e8bdf9 13836->13844 13837 2e8bdd6 13837->13821 13841 2e8be42 13840->13841 13842 2e8be6c RtlEncodePointer 13841->13842 13843 2e8be95 13841->13843 13842->13843 13843->13837 13845 2e8be42 13844->13845 13846 2e8be6c RtlEncodePointer 13845->13846 13847 2e8be95 13845->13847 13846->13847 13847->13837 13896 2e85190 13897 2e851f8 CreateWindowExW 13896->13897 13899 2e852b4 13897->13899 13900 2e86b50 GetCurrentProcess 13901 2e86bca GetCurrentThread 13900->13901 13902 2e86bc3 13900->13902 13903 2e86c00 13901->13903 13904 2e86c07 GetCurrentProcess 13901->13904 13902->13901 13903->13904 13905 2e86c3d 13904->13905 13906 2e86c65 GetCurrentThreadId 13905->13906 13907 2e86c96 13906->13907 13848 157d01c 13849 157d034 13848->13849 13850 157d08e 13849->13850 13855 2e85348 13849->13855 13859 2e83ca4 13849->13859 13867 2e87961 13849->13867 13875 2e85338 13849->13875 13856 2e8536e 13855->13856 13857 2e83ca4 CallWindowProcW 13856->13857 13858 2e8538f 13857->13858 13858->13850 13860 2e83caf 13859->13860 13861 2e879e9 13860->13861 13863 2e879d9 13860->13863 13864 2e879e7 13861->13864 13887 2e86964 13861->13887 13879 2e87b00 13863->13879 13883 2e87b10 13863->13883 13869 2e87988 13867->13869 13868 2e879e9 13870 2e86964 CallWindowProcW 13868->13870 13872 2e879e7 13868->13872 13869->13868 13871 2e879d9 13869->13871 13870->13872 13873 2e87b00 CallWindowProcW 13871->13873 13874 2e87b10 CallWindowProcW 13871->13874 13873->13872 13874->13872 13876 2e85348 13875->13876 13877 2e83ca4 CallWindowProcW 13876->13877 13878 2e8538f 13877->13878 13878->13850 13881 2e87b05 13879->13881 13880 2e86964 CallWindowProcW 13880->13881 13881->13880 13882 2e87c07 13881->13882 13882->13864 13885 2e87b1e 13883->13885 13884 2e86964 CallWindowProcW 13884->13885 13885->13884 13886 2e87c07 13885->13886 13886->13864 13888 2e8696f 13887->13888 13889 2e87cd2 CallWindowProcW 13888->13889 13890 2e87c81 13888->13890 13889->13890 13890->13864

                                            Executed Functions

                                            Function 02E86B50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02E86BB0
                                            • GetCurrentThread.KERNEL32 ref: 02E86BED
                                            • GetCurrentProcess.KERNEL32 ref: 02E86C2A
                                            • GetCurrentThreadId.KERNEL32 ref: 02E86C83
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: c174fe10aba78df07802fcd460454ab3d7ad334b1e77788e519273c17b617377
                                            • Instruction ID: 40054bf8236c4875a005ed528defee530197f691a809eb9071ab4991b9b08690
                                            • Opcode Fuzzy Hash: c174fe10aba78df07802fcd460454ab3d7ad334b1e77788e519273c17b617377
                                            • Instruction Fuzzy Hash: 745134B09006498FDB14CFA9C649BDEBBF4FF88318F248459E559A7260DB346948CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E85184 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 78 2e85184-2e851f6 79 2e851f8-2e851fe 78->79 80 2e85201-2e85208 78->80 79->80 81 2e8520a-2e85210 80->81 82 2e85213-2e8524b 80->82 81->82 83 2e85253-2e852b2 CreateWindowExW 82->83 84 2e852bb-2e852f3 83->84 85 2e852b4-2e852ba 83->85 89 2e85300 84->89 90 2e852f5-2e852f8 84->90 85->84 91 2e85301 89->91 90->89 91->91
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E852A2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: f068e95ee314bd600629192ace29cdeb232af7f1f3d42d8547a7076211825d93
                                            • Instruction ID: e269f490e26915fd26c257b68b54095124a21ce5bcd3dd940d8e538cb6a343a7
                                            • Opcode Fuzzy Hash: f068e95ee314bd600629192ace29cdeb232af7f1f3d42d8547a7076211825d93
                                            • Instruction Fuzzy Hash: 7551E0B5D00309DFDB14CF99C984ADEBBF5BF48318F64812AE818AB210DB74A845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E85190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 92 2e85190-2e851f6 93 2e851f8-2e851fe 92->93 94 2e85201-2e85208 92->94 93->94 95 2e8520a-2e85210 94->95 96 2e85213-2e852b2 CreateWindowExW 94->96 95->96 98 2e852bb-2e852f3 96->98 99 2e852b4-2e852ba 96->99 103 2e85300 98->103 104 2e852f5-2e852f8 98->104 99->98 105 2e85301 103->105 104->103 105->105
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E852A2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: fccaa90174e355a3c108643e048a153863d281f290e493095ed73253cab94550
                                            • Instruction ID: 6816add724ab0bf4f3fec3d2ed5902891fc89de32bf614fec742e817d4fdfa10
                                            • Opcode Fuzzy Hash: fccaa90174e355a3c108643e048a153863d281f290e493095ed73253cab94550
                                            • Instruction Fuzzy Hash: 9541C0B5D00309DFDB14CF99C984ADEBBF5BF48314F64912AE819AB210DB74A845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E86E3A Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 106 2e86e3a-2e86e40 107 2e86dcb-2e86dce 106->107 108 2e86e42-2e86e53 106->108 110 2e86dcf-2e86de1 107->110 111 2e86e5e-2e86f66 108->111 113 2e86de3-2e86e0c DuplicateHandle 110->113 114 2e86e0e-2e86e14 113->114 115 2e86e15-2e86e32 113->115 114->115
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E86DFF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e21b1db4370063a5f7751f4673bcc28c7b1aa02827b3f680c4766b69183cac1d
                                            • Instruction ID: 8a0778dc5d6386c166c4749609af9086980c1fb798098935c3429325cdfc8c81
                                            • Opcode Fuzzy Hash: e21b1db4370063a5f7751f4673bcc28c7b1aa02827b3f680c4766b69183cac1d
                                            • Instruction Fuzzy Hash: 46413D746502489FE7009FA4E68ABAD7BA6FB49314F10846AF90597BD0CF785C05DF22
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E86964 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 128 2e86964-2e87c74 131 2e87c7a-2e87c7f 128->131 132 2e87d24-2e87d44 call 2e83ca4 128->132 133 2e87c81-2e87cb8 131->133 134 2e87cd2-2e87d0a CallWindowProcW 131->134 139 2e87d47-2e87d54 132->139 141 2e87cba-2e87cc0 133->141 142 2e87cc1-2e87cd0 133->142 137 2e87d0c-2e87d12 134->137 138 2e87d13-2e87d22 134->138 137->138 138->139 141->142 142->139
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02E87CF9
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 59909253f93f6de802e440d1f9ef96fdd0133578ee6b5c831a6b2c01385e0b5f
                                            • Instruction ID: cae10c205cff97583deff0ccd1240e1ad62ef79b23a1473e3f6cc96ed8f0e134
                                            • Opcode Fuzzy Hash: 59909253f93f6de802e440d1f9ef96fdd0133578ee6b5c831a6b2c01385e0b5f
                                            • Instruction Fuzzy Hash: 0E415BB89003098FDB10CF99C589AAAFBF5FF89314F24C499D5596B361D734A841CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E86D72 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 145 2e86d72-2e86dcc 147 2e86dcf-2e86de1 145->147 149 2e86de3-2e86e0c DuplicateHandle 147->149 150 2e86e0e-2e86e14 149->150 151 2e86e15-2e86e32 149->151 150->151
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E86DFF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 3f524686b2d20c70ccf1a9901f10157fc3eb561f9a35dbfbc8ff0cbce2d9bbac
                                            • Instruction ID: 07044c9153d3abc5843925e3db5db7e766686b06386d7d67263fd99b9ecc867f
                                            • Opcode Fuzzy Hash: 3f524686b2d20c70ccf1a9901f10157fc3eb561f9a35dbfbc8ff0cbce2d9bbac
                                            • Instruction Fuzzy Hash: 6521E4B5900208DFDF10CF99D984ADEBBF8FB48324F14841AE958A7310D378A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E86D78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 154 2e86d78-2e86dcc 155 2e86dcf-2e86de1 154->155 157 2e86de3-2e86e0c DuplicateHandle 155->157 158 2e86e0e-2e86e14 157->158 159 2e86e15-2e86e32 157->159 158->159
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E86DFF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 7247610a12593be176c6afa6339fab924479770526538655bfbd3dd242e3b357
                                            • Instruction ID: 212d8cb4110dac89f4451da8792dee5a871633369cdaa97bb6a9c9a80ab9b66d
                                            • Opcode Fuzzy Hash: 7247610a12593be176c6afa6339fab924479770526538655bfbd3dd242e3b357
                                            • Instruction Fuzzy Hash: 2B21D3B5900208DFDB10CFAAD984ADEFBF8FB48324F14845AE958A7310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E8BDF9 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 162 2e8bdf9-2e8be39 163 2e8be42-2e8be4a 162->163 174 2e8be3c call 2e8bee0 162->174 165 2e8be4c-2e8be4e 163->165 166 2e8be50 163->166 167 2e8be55-2e8be60 165->167 166->167 168 2e8bec1-2e8bece 167->168 169 2e8be62-2e8be93 RtlEncodePointer 167->169 171 2e8be9c-2e8bebc 169->171 172 2e8be95-2e8be9b 169->172 171->168 172->171 174->163
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 02E8BE82
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: eb53c692317302c987612207d142c8692bb30bf68631cb7710f9d88e3e76782a
                                            • Instruction ID: 8b29cb702c030c0268ef2093ad7ed5a6d8b4ce2c6e70b2c783f5600234ec42eb
                                            • Opcode Fuzzy Hash: eb53c692317302c987612207d142c8692bb30bf68631cb7710f9d88e3e76782a
                                            • Instruction Fuzzy Hash: 02216AB29417098FDB10DFA9C94939EBFF4EB04318F24882ED549E3600D7386548CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E8BE08 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 175 2e8be08-2e8be4a call 2e8bee0 178 2e8be4c-2e8be4e 175->178 179 2e8be50 175->179 180 2e8be55-2e8be60 178->180 179->180 181 2e8bec1-2e8bece 180->181 182 2e8be62-2e8be93 RtlEncodePointer 180->182 184 2e8be9c-2e8bebc 182->184 185 2e8be95-2e8be9b 182->185 184->181 185->184
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 02E8BE82
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568527512.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_2e80000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 66baeda184455d4104c3cfaacc9e04edf727a723d28538ff0bb0ffa93193bec0
                                            • Instruction ID: 7043539f83303006e1319f097bdfb783b27b650f0e21c42d1efe661cd108bac6
                                            • Opcode Fuzzy Hash: 66baeda184455d4104c3cfaacc9e04edf727a723d28538ff0bb0ffa93193bec0
                                            • Instruction Fuzzy Hash: 781136729007098FDB10EFA9C50979ABBF4EB48318F24842AD549E7600DB3969488FA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0156D450 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568386353.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_156d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f126269bc3164453acb49b964c564b8198c65daf9d12ae8e74fdb6701c1ff6ff
                                            • Instruction ID: e8a59845a24147b7c34152e4c7b125ef907fd7f9e190284e7f7756377b1f3847
                                            • Opcode Fuzzy Hash: f126269bc3164453acb49b964c564b8198c65daf9d12ae8e74fdb6701c1ff6ff
                                            • Instruction Fuzzy Hash: A7210071604240DFDB119F94D9C0B6ABBB9FB88328F2489A8E9450F246C776E845CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0156D53C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568386353.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_156d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82ebcc09fc2acca6de7995cc650d07e60adf9eb007799ea75d57de240a0c7a22
                                            • Instruction ID: d48fb077833e0e3501e4fa451f0506884eac7acfe607be4dee35d830857eac58
                                            • Opcode Fuzzy Hash: 82ebcc09fc2acca6de7995cc650d07e60adf9eb007799ea75d57de240a0c7a22
                                            • Instruction Fuzzy Hash: E1212471200244DFCB01DF94C9C0B1ABBB9FB94328F248DA8E8454F646C336D856CAE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568412187.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_157d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e00b7be1cfd8c0affe81d61b1f7d0e177a91f1c57208bbec89ff2683fc387c0
                                            • Instruction ID: 585e3f930c4878cbe6176d4e3b16ecc8907d7205097cf2f8590015abe5024808
                                            • Opcode Fuzzy Hash: 0e00b7be1cfd8c0affe81d61b1f7d0e177a91f1c57208bbec89ff2683fc387c0
                                            • Instruction Fuzzy Hash: A6212275504204DFCB12CFA4E9C4B2ABBB5FF84364F24C9ADD8090F246D73AD846CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568412187.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_157d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 832d783984419026ea32a9263c4d3b421c3161aea85c0e002f3c38e59abb6e46
                                            • Instruction ID: 033a8c6c8fb93c5d2cba30005031e0af6ca63e46b1063472fbfa74dedffa1c89
                                            • Opcode Fuzzy Hash: 832d783984419026ea32a9263c4d3b421c3161aea85c0e002f3c38e59abb6e46
                                            • Instruction Fuzzy Hash: C02168755093808FCB13CF24D990B15BF71AF46214F28C5EAD8498F6A7C33A980ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0156D44B Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568386353.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_156d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction ID: dc60e2916cc3d1873e01b8b7741d09fbd76be65e375a5a45c879f68ec3f554e4
                                            • Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction Fuzzy Hash: 3B11BE76504280CFDB12CF54DAC4B1ABF71FB84324F2886A9D8494F657C33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0156D537 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.568386353.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_156d000_Sat#U0131nalma Sipari#U015fi -AR95647,pdf.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction ID: 5ed2c6106023e5146a3b83c5f93eb01e953e6d71da0a6f419b745701a51d53de
                                            • Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                            • Instruction Fuzzy Hash: 6311B176504280CFCB12CF54DAC4B1ABF72FB84324F2486A9D8494F656C336D45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%