Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPurchaseOrder300610-PDF.exe

Overview

General Information

Sample name:rPurchaseOrder300610-PDF.exe
Analysis ID:1455405
MD5:e76975d634d228179adc45cad8f2000d
SHA1:9e5d85b6a9ce9c4ca3793c7f140e57e9ed024db3
SHA256:308004785363cf352a7c339d778f301bd25686dc8463190a41f3a5f65eb6c1dc
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rPurchaseOrder300610-PDF.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe" MD5: E76975D634D228179ADC45CAD8F2000D)
    • RegSvcs.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "srv.masternic.net", "Username": "technical2@petropardis.ir", "Password": "-H{2Szxi!%qb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x334c7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x33539:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x335c3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x33655:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x336bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x33731:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x337c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x33857:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x334c7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x33539:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x335c3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33655:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x336bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x33731:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x337c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x33857:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 4 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 174.141.234.138, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7284, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 1.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "srv.masternic.net", "Username": "technical2@petropardis.ir", "Password": "-H{2Szxi!%qb"}
                  Multi AV Scanner detection for submitted file
                  Source: rPurchaseOrder300610-PDF.exeReversingLabs: Detection: 39%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                  Machine Learning detection for sample
                  Source: rPurchaseOrder300610-PDF.exeJoe Sandbox ML: detected
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734448104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734334049.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734448104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734334049.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00844696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00844696
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084C9C7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084C93C FindFirstFileW,FindClose,0_2_0084C93C
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F200
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F35D
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084F65E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00843A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843A2B
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00843D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843D4E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084BF27
                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 174.141.234.138:587
                  Source: Joe Sandbox ViewASN Name: ASN-GIGENETUS ASN-GIGENETUS
                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 174.141.234.138:587
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008525E2
                  Source: global trafficDNS traffic detected: DNS query: srv.masternic.net
                  Source: RegSvcs.exe, 00000001.00000002.2985758558.000000000641B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: RegSvcs.exe, 00000001.00000002.2985758558.000000000641B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: RegSvcs.exe, 00000001.00000002.2983450730.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: RegSvcs.exe, 00000001.00000002.2983450730.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: RegSvcs.exe, 00000001.00000002.2983450730.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.000000000641B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://srv.masternic.net
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 00000001.00000002.2983450730.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, 7KG.cs.Net Code: D3z
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0085425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0085425A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00854458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00854458
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0085425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0085425A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00840219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00840219
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0086CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0086CDAC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_007E3B4C
                  Source: rPurchaseOrder300610-PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000002.1737043929.0000000000895000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e938e5fb-4
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000002.1737043929.0000000000895000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b7ae6bf8-b
                  Source: rPurchaseOrder300610-PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cc7687cc-5
                  Source: rPurchaseOrder300610-PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1badaef4-3
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: rPurchaseOrder300610-PDF.exe
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008440B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_008440B1
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00838858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00838858
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0084545F
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007EE8000_2_007EE800
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080DBB50_2_0080DBB5
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007EE0600_2_007EE060
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0086804A0_2_0086804A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F41400_2_007F4140
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008024050_2_00802405
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008165220_2_00816522
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008606650_2_00860665
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0081267E0_2_0081267E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F68430_2_007F6843
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080283A0_2_0080283A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008189DF0_2_008189DF
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00816A940_2_00816A94
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00860AE20_2_00860AE2
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F8A0E0_2_007F8A0E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0083EB070_2_0083EB07
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00848B130_2_00848B13
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080CD610_2_0080CD61
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008170060_2_00817006
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F710E0_2_007F710E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F31900_2_007F3190
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E12870_2_007E1287
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008033C70_2_008033C7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080F4190_2_0080F419
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008016C40_2_008016C4
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F56800_2_007F5680
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008078D30_2_008078D3
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007F58C00_2_007F58C0
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00801BB80_2_00801BB8
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00819D050_2_00819D05
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007EFE400_2_007EFE40
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00801FD00_2_00801FD0
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080BFE60_2_0080BFE6
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_036236000_2_03623600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F593781_2_02F59378
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F54A981_2_02F54A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F59B381_2_02F59B38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F53E801_2_02F53E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F5CFF01_2_02F5CFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02F541C81_2_02F541C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F56D01_2_064F56D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F3F401_2_064F3F40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064FBCE01_2_064FBCE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064FDCF81_2_064FDCF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F9AD01_2_064F9AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F2AF01_2_064F2AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F8B881_2_064F8B88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F00401_2_064F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F4FF01_2_064F4FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_064F32401_2_064F3240
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: String function: 00808B40 appears 42 times
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: String function: 007E7F41 appears 35 times
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: String function: 00800D27 appears 70 times
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1733699895.0000000003DDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rPurchaseOrder300610-PDF.exe
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1735044412.0000000003C33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rPurchaseOrder300610-PDF.exe
                  Source: rPurchaseOrder300610-PDF.exe, 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename64110f8f-1c32-4e24-bcc3-81d4f8370edf.exe4 vs rPurchaseOrder300610-PDF.exe
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@1/1
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084A2D5 GetLastError,FormatMessageW,0_2_0084A2D5
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00838713 AdjustTokenPrivileges,CloseHandle,0_2_00838713
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00838CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00838CC3
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0084B59E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0085F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0085F121
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008586D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_008586D0
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007E4FE9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeFile created: C:\Users\user\AppData\Local\Temp\autCE2F.tmpJump to behavior
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rPurchaseOrder300610-PDF.exeReversingLabs: Detection: 39%
                  Source: unknownProcess created: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: rPurchaseOrder300610-PDF.exeStatic file information: File size 1116160 > 1048576
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734448104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734334049.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734448104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, rPurchaseOrder300610-PDF.exe, 00000000.00000003.1734334049.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: rPurchaseOrder300610-PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0085C304 LoadLibraryA,GetProcAddress,0_2_0085C304
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007EC590 push eax; retn 007Eh0_2_007EC599
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00848719 push FFFFFF8Bh; iretd 0_2_0084871B
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080E94F push edi; ret 0_2_0080E951
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080EA68 push esi; ret 0_2_0080EA6A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00808B85 push ecx; ret 0_2_00808B98
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080EC43 push esi; ret 0_2_0080EC45
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080ED2C push edi; ret 0_2_0080ED2E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007E4A35
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_008655FD
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008033C7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeAPI/Special instruction interceptor: Address: 3623224
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4963Jump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99302
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeAPI coverage: 4.7 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00844696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00844696
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084C9C7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084C93C FindFirstFileW,FindClose,0_2_0084C93C
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F200
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F35D
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084F65E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00843A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843A2B
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00843D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843D4E
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0084BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084BF27
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007E4AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97889Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97550Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-98122
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008541FD BlockInput,0_2_008541FD
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007E3B4C
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00815CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00815CCC
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0085C304 LoadLibraryA,GetProcAddress,0_2_0085C304
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_036234F0 mov eax, dword ptr fs:[00000030h]0_2_036234F0
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_03623490 mov eax, dword ptr fs:[00000030h]0_2_03623490
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_03621E70 mov eax, dword ptr fs:[00000030h]0_2_03621E70
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008381F7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0080A395
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080A364 SetUnhandledExceptionFilter,0_2_0080A364
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1039008Jump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00838C93 LogonUserW,0_2_00838C93
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007E3B4C
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007E4A35
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00844EC9 mouse_event,0_2_00844EC9
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008381F7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00844C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00844C03
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0080886B cpuid 0_2_0080886B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_008150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008150D7
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00822230 GetUserNameW,0_2_00822230
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_0081418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0081418A
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_007E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007E4AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rPurchaseOrder300610-PDF.exe PID: 7268, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7284, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_81
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_XP
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_XPe
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_VISTA
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_7
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: WIN_8
                  Source: rPurchaseOrder300610-PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rPurchaseOrder300610-PDF.exe PID: 7268, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7284, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rPurchaseOrder300610-PDF.exe.3630000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2983820925.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rPurchaseOrder300610-PDF.exe PID: 7268, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7284, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00856596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00856596
                  Source: C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exeCode function: 0_2_00856A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00856A5A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets241
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		11
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials121
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  rPurchaseOrder300610-PDF.exe39%ReversingLabsWin32.Trojan.AgentTesla
                  rPurchaseOrder300610-PDF.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://srv.masternic.net0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  srv.masternic.net
                  		174.141.234.138
                  		truetrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://sectigo.com/CPS0RegSvcs.exe, 00000001.00000002.2983450730.00000000014CD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2985758558.0000000006404000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/rPurchaseOrder300610-PDF.exe, 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://srv.masternic.netRegSvcs.exe, 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    174.141.234.138
                    		srv.masternic.netUnited States
                    		32181ASN-GIGENETUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1455405
                    Start date and time:2024-06-11 19:46:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:rPurchaseOrder300610-PDF.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/4@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 58
                    • Number of non-executed functions: 266
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: rPurchaseOrder300610-PDF.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:47:07API Interceptor26x Sleep call for process: RegSvcs.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    174.141.234.138INQ No.KP-20-00-PS-PI-INQ-0018-PDF.exeGet hashmaliciousAgentTeslaBrowse
                      DHL airwaybill # 84940660132-PDF.exeGet hashmaliciousAgentTeslaBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        srv.masternic.netINQ No.KP-20-00-PS-PI-INQ-0018-PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • 174.141.234.138
                        DHL airwaybill # 84940660132-PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • 174.141.234.138

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ASN-GIGENETUS41XX8Kwk8K.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.174
                        INQ No.KP-20-00-PS-PI-INQ-0018-PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • 174.141.234.138
                        DHL airwaybill # 84940660132-PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • 174.141.234.138
                        863Oc9fFgF.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.175
                        VxrYNgC0xs.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.170
                        L31owFeEHg.elfGet hashmaliciousMiraiBrowse
                        • 69.65.0.70
                        G4nRIeXFFj.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.143
                        JoaD4Dp71E.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.139
                        UksgYUGMnj.elfGet hashmaliciousMiraiBrowse
                        • 69.65.0.56
                        DHz0sMSRlg.elfGet hashmaliciousMiraiBrowse
                        • 216.38.6.154

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\Maianthemum

                        Download File
                        Process:C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):240128
                        Entropy (8bit):6.597966061213347
                        Encrypted:false
                        SSDEEP:6144:tHCFxwPf3DviuqmZOK9hAhHxWWh4XMlcC:tHY2vDvitAOK9hkHxtacD
                        MD5:E0C36B9F8F4768B9EE3394E91C307493
                        SHA1:34C05B03D479062EDCEE71A69F226F9C1E6988D0
                        SHA-256:F2A58FFEA81C06856CF1AAD6BFBB83A6C217548B2F672589D62BD1090841756A
                        SHA-512:CE122DA5C81994123183066CF1CBCB8D10F1A858BC78E5893746801C7124E3FC5BFB7DEA4930F1784F83A05F080077D5D42EBA207590201A1B18609EF7CB8D43
                        Malicious:false
                        Reputation:low
                        Preview:.b.R0SBXP7FK..8R.3SBXT7F.CO8RR3SBXT7FKCO8RR3SBXT7FKCO8RR3SBX.7FKMP.\R.Z.y.6..b.P;!.#073E'&c,Y<<\'b:1.4>-oQ<rw..x9X".mB5Xv3SBXT7F..O8.S0S?.qQFKCO8RR3.BZU<G@CO.QR3[BXT7FKM.;RR.SBX.4FKC.8Rr3SBZT7BKCO8RR3WBXT7FKCO8VR3QBXT7FKAOx.R3CBXD7FKC_8RB3SBXT7VKCO8RR3SBXT..HC.8RR3.AX.2FKCO8RR3SBXT7FKCO8R.0SNXT7FKCO8RR3SBXT7FKCO8RR3SBXT7FKCO8RR3SBXT7FKCO8RR3SBxT7NKCO8RR3SBXT?fKC.8RR3SBXT7FKm;]*&3SBL.4FKcO8R.0SBZT7FKCO8RR3SBXT.FK#aJ! PSBX.2FKC.;RR5SBX.4FKCO8RR3SBXT7.KC.. 7_<!XT;FKCO.QR3QBXT.EKCO8RR3SBXT7F.COzRR3SBXT7FKCO8RR3..[T7FKC.8RR1SGX..DK..9RQ3SBYT7@KCO8RR3SBXT7FKCO8RR3SBXT7FKCO8RR3SBXT7FKCO8RR3SBE......../.Y _...,.L..A..;..8.^.4,.x.O....d:>..3.Mh...B...'.[G!U.....2YB]*.#.I*.R....nc,.|.M-.B..-p.:1b.j..t.....82....&..0-5zV6;/*..3U201.5.JCO8R......";.b.Q<MvJ,a....@*e...IFKC+8RRASBX57FK.O8R=3SB6T7F5CO8,R3S.XT7.KCO.RR3vBXTZFKCk8RRMSBX.JID...;!..BXT7F~....?........yI.,h1z..."...bW..\*.#t....6.X..O.\@h..?ST7V@_P4JvM....QF\Q5AO@C.\...y...z...#.....:KCO8RR.SB.T7F..O.RR3.B.T..KCO..R.S.X..K

                        C:\Users\user\AppData\Local\Temp\autCE2F.tmp

                        Download File
                        Process:C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):142714
                        Entropy (8bit):7.931021827072133
                        Encrypted:false
                        SSDEEP:3072:png2JxubVV8xbi1Hgf9mC/773Iyvd1XzQEHF+a0IDH9j64MVCan:pGJVoiGR/773Bd1Xz5HAa0IpjEVb
                        MD5:EC21EFB1CC5EE45BCEA491BBDB69D070
                        SHA1:FF22430DFA285CE7D8C7129F8F1ADCD21A8C019B
                        SHA-256:133832B10F9540F0A16570ED19003EC5A1E0F7C57AC32DD8D4DE5A14431ABC66
                        SHA-512:CBE8A59B71FAC5C2DC5226836470658EE2DA04E6F651B21A5A26783485E68C854422B93A1D9E1309BCAFE1896B39192FAD7E3C671AAB7D883CC3C9C7CAF268BC
                        Malicious:false
                        Reputation:low
                        Preview:EA06.....X.U).N.X.M....qR.L..J.......*..ni`..OP.4..0U......&.5.7P..br9..gE..r...y\..S...}-..g.+.r#x..$R.m.kX..'f7...#.9.N...@....V...=..O.TjS:...)...J...42.@.r.8.\..J.RoB.4.\.suj......>..L.t*...i..*T .\U.4;..R(p...'A.D.@._6.aS...}...e.7...v.f.........0.iL.h.0.s.0......R.v.T.AP...',x.!5..>.@._..."E..z..CX.N....D....(.....^.*~=.....N3......Q)z;..Q.'+5I........3.......K......K8T..............K;.{.V...rr..$.}.....G.S..q.....[..j.^.O..L.4*..#.Re[Z.....r...M..(^..j[p..6,....]"..f.18.Ec{ML.{..Kf....w/.E.3:..a1..w....g..d?...BE;.X....6.J.X}..f..@.Y..-.f...J.0....5.. .....@..n.P..X..A.[1O..u.`.r..hZ...h...Rh...Bw!.k.Dk.....O._...M....N2Yh....d....X...]rU...!P..m..V#..|..@.Cb.....@..&...6....U.5r.5....8-r3..e.:x...z....<..I..h.@/8.T.]..S....'...i......mKgS..:...ZCY.O..9...E..%.:t..{...J<.I;.....W..(t...[Q.R.ze..0.T.S}m^.T..&..5.Yi......h.X....B.*..t..x.4.4.&..._*S:....xM.....[Q........;..fu:5.=....tX.J.2..i..CkB..Py.N..fP.q....D...+..l..*U..2....w..L6O

                        C:\Users\user\AppData\Local\Temp\autCE6E.tmp

                        Download File
                        Process:C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):9816
                        Entropy (8bit):7.608158950706453
                        Encrypted:false
                        SSDEEP:192:na0ZsqLUGeKtxWQa8atpLMknw1R9hFg1a6fYHWMMaC3t3fpIEICMOe8uq10ZOJOT:azqLFLtx3a88wknwdh6jYyaC3pRIENMr
                        MD5:42CF15BA79D0F28AC2200CB13B961A98
                        SHA1:04325141EC2B99F5BC998FB3897A0E830C45AFD9
                        SHA-256:6B900D06E95F88562626E0AD072B795AAD835622883BE6C6CDA584A8E1A31062
                        SHA-512:73B33D2788FEE9CD9149C914B7BEFD238F2B52A199703845EB90DCB35F56B403AFA174D407ABC6D4268FBD63DD8D30F9B1DC75823B94A321B87B847913B1EAA4
                        Malicious:false
                        Reputation:low
                        Preview:EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

                        C:\Users\user\AppData\Local\Temp\turbinate

                        Download File
                        Process:C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe
                        File Type:ASCII text, with very long lines (28740), with no line terminators
                        Category:dropped
                        Size (bytes):28740
                        Entropy (8bit):3.5871394699332475
                        Encrypted:false
                        SSDEEP:768:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gc:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RJ
                        MD5:FEDF5187FBFDE806DB839E324F115298
                        SHA1:6697A650BDFC2C29823B998B6FDA25FCC98AFF77
                        SHA-256:DBE6EE56A9C35A8CF29E9A366365E91B3C976075619A05191754BB002348FCCD
                        SHA-512:E4B6351C6A76111FB343DB843DC6992068F1B769861AAEB1DA82B2A40C51F0EC8D1323063A2916CE04DAD142F99C18F9822885C64A80F3EBA84247E671A9C19D
                        Malicious:false
                        Reputation:low
                        Preview:606DABF73C37DFE5B6388B40F071263955F8071380D1EFA13173545CE7671ACF380x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c000000668995

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.051729711184832
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:rPurchaseOrder300610-PDF.exe
                        File size:1'116'160 bytes
                        MD5:e76975d634d228179adc45cad8f2000d
                        SHA1:9e5d85b6a9ce9c4ca3793c7f140e57e9ed024db3
                        SHA256:308004785363cf352a7c339d778f301bd25686dc8463190a41f3a5f65eb6c1dc
                        SHA512:f11c57d1c92d3ab7542bdc135982533cba6213835a2f0fa38bd3f589b5ce03239de37b1ca42c001dfb9d747e1aca587e14c0366d4467859dd53bec6d407c0d6d
                        SSDEEP:24576:cAHnh+eWsN3skA4RV1Hom2KXMmHadZz5CA9RiAPRx5:7h+ZkldoPK8YadZz5CA9rPh
                        TLSH:5635AD0273D1C036FFABA2739B6AB64156BC79254133852F13981DB9BC701B2267E763
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                        File Icon

                        Icon Hash:aaf3e3e3938382a0

                        Static PE Info

                        General

                        Entrypoint:0x42800a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66678AA2 [Mon Jun 10 23:22:10 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                        Entrypoint Preview

                        Instruction
                        call 00007F0EDCC07DCDh
                        jmp 00007F0EDCBFAB84h
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        push edi
                        push esi
                        mov esi, dword ptr [esp+10h]
                        mov ecx, dword ptr [esp+14h]
                        mov edi, dword ptr [esp+0Ch]
                        mov eax, ecx
                        mov edx, ecx
                        add eax, esi
                        cmp edi, esi
                        jbe 00007F0EDCBFAD0Ah
                        cmp edi, eax
                        jc 00007F0EDCBFB06Eh
                        bt dword ptr [004C41FCh], 01h
                        jnc 00007F0EDCBFAD09h
                        rep movsb
                        jmp 00007F0EDCBFB01Ch
                        cmp ecx, 00000080h
                        jc 00007F0EDCBFAED4h
                        mov eax, edi
                        xor eax, esi
                        test eax, 0000000Fh
                        jne 00007F0EDCBFAD10h
                        bt dword ptr [004BF324h], 01h
                        jc 00007F0EDCBFB1E0h
                        bt dword ptr [004C41FCh], 00000000h
                        jnc 00007F0EDCBFAEADh
                        test edi, 00000003h
                        jne 00007F0EDCBFAEBEh
                        test esi, 00000003h
                        jne 00007F0EDCBFAE9Dh
                        bt edi, 02h
                        jnc 00007F0EDCBFAD0Fh
                        mov eax, dword ptr [esi]
                        sub ecx, 04h
                        lea esi, dword ptr [esi+04h]
                        mov dword ptr [edi], eax
                        lea edi, dword ptr [edi+04h]
                        bt edi, 03h
                        jnc 00007F0EDCBFAD13h
                        movq xmm1, qword ptr [esi]
                        sub ecx, 08h
                        lea esi, dword ptr [esi+08h]
                        movq qword ptr [edi], xmm1
                        lea edi, dword ptr [edi+08h]
                        test esi, 00000007h
                        je 00007F0EDCBFAD65h
                        bt esi, 03h

                        Rich Headers

                        Programming Language:
                        • [ASM] VS2013 build 21005
                        • [ C ] VS2013 build 21005
                        • [C++] VS2013 build 21005
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [ASM] VS2013 UPD5 build 40629
                        • [RES] VS2013 build 21005
                        • [LNK] VS2013 UPD5 build 40629

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x461b4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10f0000x7134.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xc80000x461b40x46200fdb05e31f667109b973be9eb66a0d7ebFalse0.9067130403297683data7.84390952909338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x10f0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                        RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                        RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                        RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                        RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                        RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                        RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                        RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                        RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                        RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                        RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                        RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                        RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                        RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                        RT_RCDATA0xd07b80x3d44adata1.0003426922862357
                        RT_GROUP_ICON0x10dc040x76dataEnglishGreat Britain0.6610169491525424
                        RT_GROUP_ICON0x10dc7c0x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0x10dc900x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0x10dca40x14dataEnglishGreat Britain1.25
                        RT_VERSION0x10dcb80x10cdataEnglishGreat Britain0.5932835820895522
                        RT_MANIFEST0x10ddc40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                        Imports

                        DLLImport
                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                        PSAPI.DLLGetProcessMemoryInfo
                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                        UxTheme.dllIsThemeActive
                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jun 11, 2024 19:47:09.343044043 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:09.347832918 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:09.347975016 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:09.993120909 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:09.993395090 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:09.998842001 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.140547037 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.140768051 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.145677090 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.289242983 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.294877052 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.299652100 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.586867094 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.586929083 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.586966038 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.587003946 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.587033033 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.587034941 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.587070942 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.587169886 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.587230921 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.615997076 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.621223927 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.761893988 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.773132086 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.778145075 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.918577909 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:10.919946909 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:10.924848080 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.066915035 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.067266941 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.072158098 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.381289005 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.381786108 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.387473106 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.528099060 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.528470039 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.533431053 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.756761074 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.757164001 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.762200117 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.902322054 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.903738976 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.903774977 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.903827906 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.903827906 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:47:11.909957886 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.910007954 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.910032034 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:11.910054922 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:12.062854052 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:47:12.117336988 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:48:49.252794027 CEST49731587192.168.2.4174.141.234.138
                        Jun 11, 2024 19:48:49.257730007 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:48:49.399524927 CEST58749731174.141.234.138192.168.2.4
                        Jun 11, 2024 19:48:49.405812025 CEST49731587192.168.2.4174.141.234.138

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jun 11, 2024 19:47:09.225862026 CEST6384553192.168.2.41.1.1.1
                        Jun 11, 2024 19:47:09.336755991 CEST53638451.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jun 11, 2024 19:47:09.225862026 CEST192.168.2.41.1.1.10xad96Standard query (0)srv.masternic.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jun 11, 2024 19:47:09.336755991 CEST1.1.1.1192.168.2.40xad96No error (0)srv.masternic.net174.141.234.138A (IP address)IN (0x0001)false

                        SMTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        Jun 11, 2024 19:47:09.993120909 CEST58749731174.141.234.138192.168.2.4220-srv.masternic.net ESMTP Exim 4.96.2 #2 Tue, 11 Jun 2024 21:17:09 +0330
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        Jun 11, 2024 19:47:09.993395090 CEST49731587192.168.2.4174.141.234.138EHLO 936905
                        Jun 11, 2024 19:47:10.140547037 CEST58749731174.141.234.138192.168.2.4250-srv.masternic.net Hello 936905 [173.254.250.91]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-PIPECONNECT
                        250-STARTTLS
                        250 HELP
                        Jun 11, 2024 19:47:10.140768051 CEST49731587192.168.2.4174.141.234.138STARTTLS
                        Jun 11, 2024 19:47:10.289242983 CEST58749731174.141.234.138192.168.2.4220 TLS go ahead

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:13:47:05
                        Start date:11/06/2024
                        Path:C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"
                        Imagebase:0x7e0000
                        File size:1'116'160 bytes
                        MD5 hash:E76975D634D228179ADC45CAD8F2000D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1737903972.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:13:47:06
                        Start date:11/06/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\rPurchaseOrder300610-PDF.exe"
                        Imagebase:0xe30000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2983820925.000000000319E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2983011276.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2983820925.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2983820925.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2983820925.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >