Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order_Pdf.exe

Overview

General Information

Sample Name:Purchase Order_Pdf.exe
Analysis ID:339377
MD5:24ab440ba14af239092dc2f4c04a4aed
SHA1:4f060fb538c3f5fba0b7e8e95bfc5c3f620ea190
SHA256:c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Purchase Order_Pdf.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\Purchase Order_Pdf.exe' MD5: 24AB440BA14AF239092DC2F4C04A4AED)
    • schtasks.exe (PID: 6988 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "JTEGfd5E6q9K", "URL: ": "http://WLcj6bxQ2J4N01Tk.com", "To: ": "office-z9@impressindia.net", "ByHost: ": "mail.impressindia.net:587", "Password: ": "aiCQx1fB", "From: ": "office-z9@impressindia.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.618083495.000000000308F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Purchase Order_Pdf.exe.a420000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Purchase Order_Pdf.exe.a420000.10.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase Order_Pdf.exe' , ParentImage: C:\Users\user\Desktop\Purchase Order_Pdf.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp', ProcessId: 6988

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: Purchase Order_Pdf.exeAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeAvira: detection malicious, Label: HEUR/AGEN.1120329
                Found malware configurationShow sources
                Source: Purchase Order_Pdf.exe.6556.0.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "JTEGfd5E6q9K", "URL: ": "http://WLcj6bxQ2J4N01Tk.com", "To: ": "office-z9@impressindia.net", "ByHost: ": "mail.impressindia.net:587", "Password: ": "aiCQx1fB", "From: ": "office-z9@impressindia.net"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeReversingLabs: Detection: 36%
                Multi AV Scanner detection for submitted fileShow sources
                Source: Purchase Order_Pdf.exeReversingLabs: Detection: 36%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\gspeFYive.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Purchase Order_Pdf.exeJoe Sandbox ML: detected
                Source: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                Compliance:

                barindex
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack
                Source: Purchase Order_Pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Purchase Order_Pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 4x nop then mov eax, dword ptr [ebp-24h]0_2_012C47A0

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://WLcj6bxQ2J4N01Tk.com
                Source: Joe Sandbox ViewIP Address: 192.232.223.161 192.232.223.161
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: unknownDNS traffic detected: queries for: mail.impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://RNjXxX.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618170547.00000000030D2000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.618336118.000000000314E000.00000004.00000001.sdmpString found in binary or memory: http://WLcj6bxQ2J4N01Tk.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootca2
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.le
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpString found in binary or memory: http://impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618273971.0000000003123000.00000004.00000001.sdmpString found in binary or memory: http://mail.impressindia.net
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249791058.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249663880.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249904573.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249562757.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFt$
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/:
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253923636.0000000008304000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5:
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255018578.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT:-
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254937068.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx:
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFn%D
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255296308.000000000830F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsa
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254726496.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254353271.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623115000.0000000008300000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm_$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtop/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.254435963.0000000008308000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtu/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249308151.0000000008314000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/K
                Source: Purchase Order_Pdf.exe, 00000000.00000003.256503800.000000000830A000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252076847.0000000008309000.00000004.00000001.sdmp, Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.250813109.000000000830A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251167211.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0($
                Source: Purchase Order_Pdf.exe, 00000000.00000003.251032025.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_$
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252386933.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252541981.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j
                Source: Purchase Order_Pdf.exe, 00000000.00000003.252875664.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249322008.0000000008312000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comz-mp
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Purchase Order_Pdf.exe, 00000000.00000003.255075401.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deB
                Source: Purchase Order_Pdf.exe, 00000000.00000002.623286912.00000000083F0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
                Source: Purchase Order_Pdf.exe, 00000000.00000003.253439230.0000000008309000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.delt
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249519563.0000000008315000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.-3p
                Source: Purchase Order_Pdf.exe, 00000000.00000003.249481844.0000000008313000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.S3
                Source: Purchase Order_Pdf.exe, 00000000.00000002.618061506.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Purchase Order_Pdf.exe
                Source: initial sampleStatic PE information: Filename: Purchase Order_Pdf.exe
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FBD8E00_2_00FBD8E0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB28D00_2_00FB28D0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB9FC80_2_00FB9FC8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB77280_2_00FB7728
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB3E100_2_00FB3E10
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_012C3D780_2_012C3D78
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA22780_2_02CA2278
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA30C00_2_02CA30C0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA18790_2_02CA1879
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA0FC80_2_02CA0FC8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA04700_2_02CA0470
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4AD80_2_02CA4AD8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4AE80_2_02CA4AE8
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA12B10_2_02CA12B1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA53800_2_02CA5380
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA53900_2_02CA5390
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA30AF0_2_02CA30AF
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA51610_2_02CA5161
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA51700_2_02CA5170
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA57F10_2_02CA57F1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA0FAF0_2_02CA0FAF
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA4DD90_2_02CA4DD9
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA55E00_2_02CA55E0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_02CA55F00_2_02CA55F0
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_09FAF8980_2_09FAF898
                Source: Purchase Order_Pdf.exeBinary or memory string: OriginalFilename vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.613374809.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.611193181.0000000000A0D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.614320198.0000000001260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626058184.000000000A310000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.626396624.000000000A420000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehXQWDkwjorXbZycVPEgxEAcKCNaVjkoW.exe4 vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616957366.0000000002E11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625668181.0000000009F80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625668181.0000000009F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621067126.0000000005330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616214968.0000000001350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exeBinary or memory string: OriginalFilenameG vs Purchase Order_Pdf.exe
                Source: Purchase Order_Pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Purchase Order_Pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: gspeFYive.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@2/1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Roaming\gspeFYive.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeMutant created: \Sessions\1\BaseNamedObjects\xhTzDDzutokrrJYCnn
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDA8D.tmpJump to behavior
                Source: Purchase Order_Pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Purchase Order_Pdf.exeReversingLabs: Detection: 36%
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile read: C:\Users\user\Desktop\Purchase Order_Pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order_Pdf.exe 'C:\Users\user\Desktop\Purchase Order_Pdf.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Purchase Order_Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Purchase Order_Pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Purchase Order_Pdf.exeStatic file information: File size 1156096 > 1048576
                Source: Purchase Order_Pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x110400
                Source: Purchase Order_Pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeUnpacked PE file: 0.2.Purchase Order_Pdf.exe.8f0000.0.unpack
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F5D84 pushfd ; iretd 0_2_008F5D85
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F54EB push ds; ret 0_2_008F54F3
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_008F6B43 push ss; retf 0_2_008F6B49
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_09FA3132 push eax; iretd 0_2_09FA3133
                Source: initial sampleStatic PE information: section name: .text entropy: 7.47999071167
                Source: initial sampleStatic PE information: section name: .text entropy: 7.47999071167
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile created: C:\Users\user\AppData\Roaming\gspeFYive.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 00000000.00000002.616957366.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order_Pdf.exe PID: 6556, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWindow / User API: threadDelayed 8520Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWindow / User API: threadDelayed 1338Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exe TID: 6560Thread sleep time: -31500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exe TID: 6652Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.625516191.0000000009EC2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: =l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: =l"SOFTWARE\VMware, Inc.\VMware Tools
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: Purchase Order_Pdf.exe, 00000000.00000002.617864263.0000000002FEC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: Purchase Order_Pdf.exe, 00000000.00000002.621098746.0000000005340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeCode function: 0_2_00FB9828 LdrInitializeThunk,0_2_00FB9828
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gspeFYive' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA8D.tmp'Jump to behavior
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Purchase Order_Pdf.exe, 00000000.00000002.616292953.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Users\user\Desktop\Purchase Order_Pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order_Pdf.exe