Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ST_PLC URGENT ORDER 0223308737,pdf.exe

Overview

General Information

Sample Name:ST_PLC URGENT ORDER 0223308737,pdf.exe
Analysis ID:356838
MD5:49b05de1926be1ea5993874ad14c8d3a
SHA1:92caf8d81c1cddab1e799d730b6f31b8820bdef5
SHA256:f5a3420b7aa30f99c877d5a661625e37b79841f4bc99bd17a75d46eb86e4791d
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeJoe Sandbox ML: detected
                      Source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.190000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00BA1798
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00BA16F1

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 216.146.43.70 216.146.43.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB:l0A
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8ok
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240592808.0000000007CA5000.00000004.00000001.sdmpString found in binary or memory: http://en.wU
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.323215970.0000000007CA0000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.t
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241379781.0000000007CAA000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits)
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241183518.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240840157.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240789901.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240451930.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnold
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240657129.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241159879.0000000007CDF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4okl
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509675871.000000000322C000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ST_PLC URGENT ORDER 0223308737,pdf.exe
                      PE file contains section with special charsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      PE file has nameless sectionsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA24F00_2_00BA24F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA2C610_2_00BA2C61
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA19B70_2_00BA19B7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA45180_2_00BA4518
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA05090_2_00BA0509
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BAA6F00_2_00BAA6F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA36390_2_00BA3639
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68B80_2_00BA68B8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA54A00_2_00BA54A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA54910_2_00BA5491
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68C80_2_00BA68C8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA44310_2_00BA4431
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA244F0_2_00BA244F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6D400_2_00BA6D40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66B00_2_00BA66B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66C00_2_00BA66C0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43F90_2_00BA43F9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43D50_2_00BA43D5
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B300_2_00BA6B30
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B400_2_00BA6B40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A32580_2_023A3258
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA2980_2_023AA298
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E500_2_023A0E50
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5B00_2_023AA5B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A63D80_2_023A63D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A28D80_2_023A28D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB9580_2_023AB958
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB9490_2_023AB949
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E400_2_023A0E40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A16800_2_023A1680
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5A00_2_023AA5A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B61300_2_023B6130
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B611F0_2_023B611F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016281B09_2_016281B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016205829_2_01620582
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0162B2B09_2_0162B2B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01627B899_2_01627B89
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016246309_2_01624630
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016210399_2_01621039
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016215529_2_01621552
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016259E09_2_016259E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E889_2_06838E88
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068386A09_2_068386A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837EB89_2_06837EB8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068376D09_2_068376D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836EE89_2_06836EE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B6109_2_0683B610
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CE209_2_0683CE20
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683AE289_2_0683AE28
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C6389_2_0683C638
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A6409_2_0683A640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839E589_2_06839E58
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068396709_2_06839670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068357809_2_06835780
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F989_2_06834F98
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068347B09_2_068347B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833FC89_2_06833FC8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068337E09_2_068337E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7E09_2_0683D7E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FF89_2_06832FF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068367009_2_06836700
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F689_2_06835F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BDF89_2_0683BDF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F0F89_2_0683F0F8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068300409_2_06830040
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E9809_2_0683E980
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E1D09_2_0683E1D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836ED79_2_06836ED7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068396129_2_06839612
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E299_2_06838E29
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068386409_2_06838640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837E5A9_2_06837E5A
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068376709_2_06837670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068337819_2_06833781
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7D09_2_0683D7D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FE89_2_06832FE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F089_2_06835F08
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068357219_2_06835721
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F389_2_06834F38
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068367509_2_06836750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068347509_2_06834750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833F689_2_06833F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C5899_2_0683C589
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BD999_2_0683BD99
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B5B29_2_0683B5B2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CDC09_2_0683CDC0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683ADC99_2_0683ADC9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A5E09_2_0683A5E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839DF99_2_06839DF9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F0989_2_0683F098
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E8D09_2_0683E8D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068300079_2_06830007
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E1809_2_0683E180
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.325052772.00000000026AB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000000.233357926.00000000001FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324869005.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503626683.0000000000C6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503246705.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503854673.00000000010F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: qd?b#D ZLIB complexity 1.00040910051
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ST_PLC URGENT ORDER 0223308737,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe 'C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A9556 push A4E94827h; iretd 0_2_023A955D
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023BE39D push FFFFFF8Bh; iretd 0_2_023BE39F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6E4E push ebp; ret 0_2_023B6E58
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6F19 push FFFFFF8Bh; iretd 0_2_023B6F1E
                      Source: initial sampleStatic PE information: section name: qd?b#D entropy: 7.99769775695
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94788728273
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6292Thread sleep time: -45000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA1798 CheckRemoteDebuggerPresent,0_2_00BA1798
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832D50 LdrInitializeThunk,9_2_06832D50
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory written: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}Jump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000