Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report invoicepdf.exe

Overview

General Information

Sample Name:invoicepdf.exe
Analysis ID:358289
MD5:6f98206e6905f1f727e255d114d3c0ac
SHA1:71f6208364a668e72f8109a373c6c83c90b7999f
SHA256:97069c864ebe6a1a3e6e85bd1ff54351810cc32de3cdfe34f7fef15f04da0b87
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • invoicepdf.exe (PID: 6812 cmdline: 'C:\Users\user\Desktop\invoicepdf.exe' MD5: 6F98206E6905F1F727E255D114D3C0AC)
    • schtasks.exe (PID: 6932 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoicepdf.exe (PID: 7052 cmdline: C:\Users\user\Desktop\invoicepdf.exe MD5: 6F98206E6905F1F727E255D114D3C0AC)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.337682468.0000000002ADC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.invoicepdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.invoicepdf.exe.2ac5f2c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                0.2.invoicepdf.exe.3d71aa0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.invoicepdf.exe.3d71aa0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.invoicepdf.exe.3c743f0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoicepdf.exe' , ParentImage: C:\Users\user\Desktop\invoicepdf.exe, ParentProcessId: 6812, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp', ProcessId: 6932

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.invoicepdf.exe.3d71aa0.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\EuegmryBXVkd.exeReversingLabs: Detection: 10%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: invoicepdf.exeVirustotal: Detection: 17%Perma Link
                      Source: 5.2.invoicepdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: invoicepdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses new MSVCR DllsShow sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: invoicepdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: mscorrc.pdb source: invoicepdf.exe, 00000000.00000002.339404912.0000000004D20000.00000002.00000001.sdmp, invoicepdf.exe, 00000005.00000002.595636054.0000000000D30000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.6:49754 -> 185.221.216.77:587
                      Source: Joe Sandbox ViewASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
                      Source: global trafficTCP traffic: 192.168.2.6:49754 -> 185.221.216.77:587
                      Source: unknownDNS traffic detected: queries for: mail.com-cept.com
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://HtsCZk.com
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: invoicepdf.exe, 00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmp, invoicepdf.exe, 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: invoicepdf.exe, 00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmpString found in binary or memory: https://x4UtAvxhwOMMhTg.org

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\invoicepdf.exe
                      Source: C:\Users\user\Desktop\invoicepdf.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: invoicepdf.exe, frmSplashScreen.csLong String: Length: 13656
                      Source: 0.2.invoicepdf.exe.2c0000.0.unpack, frmSplashScreen.csLong String: Length: 13656
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: invoicepdf.exe
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_051E111E NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_00CCB0BA NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_00CCB089 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_002C52E6
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C846D8
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C848E0
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C846C8
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C855E8
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C85390
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_04C853A0
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_004852E6
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029B9690
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029B7A94
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029BD0F0
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029B9248
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029BBF90
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0570DD78
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0570F3F8
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0570BDE0
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_057007D6
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_05707B98
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0570D220
                      Source: invoicepdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: EuegmryBXVkd.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: invoicepdf.exeBinary or memory string: OriginalFilename vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.340371010.0000000005960000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.339404912.0000000004D20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.337682468.0000000002ADC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.340040627.0000000005180000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.341740011.0000000005A60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000002.341740011.0000000005A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000000.00000000.324546289.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSubcategoryMembershipEntry.exe< vs invoicepdf.exe
                      Source: invoicepdf.exeBinary or memory string: OriginalFilename vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000000.333970485.0000000000482000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSubcategoryMembershipEntry.exe< vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.600207758.0000000005440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.595816838.0000000000E60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.599846996.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.595636054.0000000000D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicepdf.exe
                      Source: invoicepdf.exeBinary or memory string: OriginalFilenameSubcategoryMembershipEntry.exe< vs invoicepdf.exe
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: security.dll
                      Source: invoicepdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: invoicepdf.exe, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.invoicepdf.exe.2c0000.0.unpack, frmSplashScreen.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/2
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_051E0FA2 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_00CCAF3E AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_00CCAF07 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile created: C:\Users\user\AppData\Roaming\EuegmryBXVkd.exeJump to behavior
                      Source: C:\Users\user\Desktop\invoicepdf.exeMutant created: \Sessions\1\BaseNamedObjects\zpWvzg
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
                      Source: C:\Users\user\Desktop\invoicepdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5A9C.tmpJump to behavior
                      Source: invoicepdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\invoicepdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: invoicepdf.exeVirustotal: Detection: 17%
                      Source: invoicepdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: invoicepdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: invoicepdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: invoicepdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile read: C:\Users\user\Desktop\invoicepdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\invoicepdf.exe 'C:\Users\user\Desktop\invoicepdf.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\invoicepdf.exe C:\Users\user\Desktop\invoicepdf.exe
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp'
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess created: C:\Users\user\Desktop\invoicepdf.exe C:\Users\user\Desktop\invoicepdf.exe
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: invoicepdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: invoicepdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: invoicepdf.exe, 00000000.00000002.339404912.0000000004D20000.00000002.00000001.sdmp, invoicepdf.exe, 00000005.00000002.595636054.0000000000D30000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_002CD32B push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_002CD381 push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_002CD399 push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_02553210 pushad ; retf
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_02552E09 push eax; retf
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0048D381 push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0048D399 push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_0048D32B push 6F060001h; iretd
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_055F4344 push cs; retf
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_055F43B8 push cs; retf
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_055F42D0 push cs; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.06854919564
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.06854919564
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile created: C:\Users\user\AppData\Roaming\EuegmryBXVkd.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp'
                      Source: C:\Users\user\Desktop\invoicepdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.337682468.0000000002ADC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 6812, type: MEMORY
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.2ac5f2c.1.raw.unpack, type: UNPACKEDPE
                      Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeFunction Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,processSet,processSet,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_0255833A str word ptr [eax+40h]
                      Source: C:\Users\user\Desktop\invoicepdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\invoicepdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\invoicepdf.exeWindow / User API: threadDelayed 645
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 6816Thread sleep time: -100358s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 6836Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 1688Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 1688Thread sleep count: 645 > 30
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 1688Thread sleep time: -19350000s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 1688Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exe TID: 1688Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\invoicepdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\invoicepdf.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\invoicepdf.exeLast function: Thread delayed
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: invoicepdf.exe, 00000005.00000002.599846996.0000000004F20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: invoicepdf.exe, 00000005.00000002.599846996.0000000004F20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: invoicepdf.exe, 00000005.00000002.599846996.0000000004F20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: invoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: invoicepdf.exe, 00000005.00000002.599846996.0000000004F20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 5_2_029B3A88 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\invoicepdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeMemory written: C:\Users\user\Desktop\invoicepdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp'
                      Source: C:\Users\user\Desktop\invoicepdf.exeProcess created: C:\Users\user\Desktop\invoicepdf.exe C:\Users\user\Desktop\invoicepdf.exe
                      Source: invoicepdf.exe, 00000005.00000002.595866413.0000000001200000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: invoicepdf.exe, 00000005.00000002.595866413.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: invoicepdf.exe, 00000005.00000002.595866413.0000000001200000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: invoicepdf.exe, 00000005.00000002.595866413.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\invoicepdf.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\invoicepdf.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\invoicepdf.exeCode function: 0_2_00B5B0BE GetUserNameW,
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 6812, type: MEMORY
                      Source: Yara matchFile source: 5.2.invoicepdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3d71aa0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3d71aa0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3c743f0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3c187d0.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\invoicepdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\invoicepdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 7052, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoicepdf.exe PID: 6812, type: MEMORY
                      Source: Yara matchFile source: 5.2.invoicepdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3d71aa0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3d71aa0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3c743f0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoicepdf.exe.3c187d0.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Scheduled Task/Job1Access Token Manipulation1Obfuscated Files or Information31Input Capture11File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Process Injection112Software Packing2Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsScheduled Task/Job1Logon Script (Mac)Scheduled Task/Job1DLL Side-Loading1NTDSQuery Registry1Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery321SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion15Cached Domain CredentialsVirtualization/Sandbox Evasion15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 358289 Sample: invoicepdf.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 7 other signatures 2->35 7 invoicepdf.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...uegmryBXVkd.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp5A9C.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\invoicepdf.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Injects a PE file into a foreign processes 7->41 43 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 7->43 11 invoicepdf.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 mail.com-cept.com 185.221.216.77, 49754, 587 HOST4GEEKS-LLCUS United Kingdom 11->25 27 192.168.2.1 unknown unknown 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      invoicepdf.exe17%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\EuegmryBXVkd.exe10%ReversingLabsWin32.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.invoicepdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://x4UtAvxhwOMMhTg.org0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://HtsCZk.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.com-cept.com
                      		185.221.216.77
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.org%GETMozilla/5.0invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://DynDns.comDynDNSinvoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://x4UtAvxhwOMMhTg.orginvoicepdf.exe, 00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hainvoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%invoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipinvoicepdf.exe, 00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmp, invoicepdf.exe, 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://HtsCZk.cominvoicepdf.exe, 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssinvoicepdf.exe, 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmpfalse
                          		high

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          185.221.216.77
                          		unknownUnited Kingdom
                          		393960HOST4GEEKS-LLCUStrue

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:358289
                          Start date:25.02.2021
                          Start time:11:41:09
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 6s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:invoicepdf.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:26
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@6/4@1/2
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 4.6% (good quality ratio 3.2%)
                          • Quality average: 56.4%
                          • Quality standard deviation: 42.1%
                          HCA Information:
                          • Successful, ratio: 91%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 131.253.33.200, 13.107.22.200, 23.211.6.115, 52.147.198.201, 51.104.139.180, 2.20.142.209, 2.20.142.210, 67.26.73.254, 8.248.143.254, 8.253.95.249, 8.253.95.120, 67.26.83.254, 51.103.5.159, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.20.56
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:41:59API Interceptor946x Sleep call for process: invoicepdf.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          185.221.216.77invoice.pdf.exeGet hashmaliciousBrowse
                            invoice copys.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              mail.com-cept.cominvoice.pdf.exeGet hashmaliciousBrowse
                              • 185.221.216.77
                              invoice copys.exeGet hashmaliciousBrowse
                              • 185.221.216.77

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              HOST4GEEKS-LLCUSinvoice.pdf.exeGet hashmaliciousBrowse
                              • 185.221.216.77
                              synchronossTicket#513473.htmGet hashmaliciousBrowse
                              • 185.221.216.34
                              invoice copys.exeGet hashmaliciousBrowse
                              • 185.221.216.77
                              55-2912.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              DAT_G_0259067.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              DAT_G_0259067.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              5349 TED_04235524.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              5349 TED_04235524.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              FILE_122020_VVY_591928.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Archivo_29_48214503.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Adjunto 29 886_473411.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Informacion_29.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Informacion_29.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Informacion_122020_EUH-4262717.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              1923620_YY-5094713.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              Doc 2912 75513.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              DAT.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              ARCHIVOFile_762-36284.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              4640-2912-122020.docGet hashmaliciousBrowse
                              • 66.85.46.76
                              MENSAJE_29_2020.docGet hashmaliciousBrowse
                              • 66.85.46.76

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoicepdf.exe.log
                              Process:C:\Users\user\Desktop\invoicepdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):664
                              Entropy (8bit):5.288448637977022
                              Encrypted:false
                              SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                              MD5:B1DB55991C3DA14E35249AEA1BC357CA
                              SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                              SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                              SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                              C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp
                              Process:C:\Users\user\Desktop\invoicepdf.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1657
                              Entropy (8bit):5.161993843403802
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3stn:cbha7JlNQV/rydbz9I3YODOLNdq3s
                              MD5:9149142410DC43256D3D9AF56DBDEEAA
                              SHA1:3A42048F278DEF0A3CA6033B90E5BF6ABF15480B
                              SHA-256:8E67B925715A8CD51CAC18764A72B58A3547345A896B05AF84EA811FBF3DEBBC
                              SHA-512:B0AF46671E2D5EC56FF9038E7E3F5F394BF4D14D0120244B623A13FA0786C91EE81464F66F6023617E7A66B4E1B81E90D0B6782CA2E8455E406B099E97ECAFF1
                              Malicious:true
                              Reputation:low
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                              C:\Users\user\AppData\Roaming\EuegmryBXVkd.exe
                              Process:C:\Users\user\Desktop\invoicepdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):788992
                              Entropy (8bit):7.074594045321417
                              Encrypted:false
                              SSDEEP:12288:ZSprUPZb4NuAvlTwvtonQkJzUOBjgQQiq62fo1:ZEU4NuA9QkyO2im2
                              MD5:6F98206E6905F1F727E255D114D3C0AC
                              SHA1:71F6208364A668E72F8109A373C6C83C90B7999F
                              SHA-256:97069C864EBE6A1A3E6E85BD1FF54351810CC32DE3CDFE34F7FEF15F04DA0B87
                              SHA-512:53E6E020FD5DF48E7909C42C01E1FD565FE0107C0248C359B22394F67C0F3E8A67C1C7A59C70D9C964AD3D44963735505C69B7D242C3E688C9DB4758DB407703
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 10%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t7`..............P......N......r.... ........@.. .......................`............@................................. ...O.......LK...................@....................................................... ............... ..H............text...x.... ...................... ..`.rsrc...LK.......L..................@..@.reloc.......@......................@..B................T.......H..........TO..........0................................................0............(....(..........(.....o.....*.....................(.......( ......(!......("......(#....*N..(....oL...($....*&..(%....*.s&........s'........s(........s)........s*........*....0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+..*.0......
                              C:\Users\user\AppData\Roaming\EuegmryBXVkd.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\invoicepdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview: [ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.074594045321417
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:invoicepdf.exe
                              File size:788992
                              MD5:6f98206e6905f1f727e255d114d3c0ac
                              SHA1:71f6208364a668e72f8109a373c6c83c90b7999f
                              SHA256:97069c864ebe6a1a3e6e85bd1ff54351810cc32de3cdfe34f7fef15f04da0b87
                              SHA512:53e6e020fd5df48e7909c42c01e1fd565fe0107c0248c359b22394f67c0f3e8a67c1c7a59c70d9c964ad3d44963735505c69b7d242c3e688c9db4758db407703
                              SSDEEP:12288:ZSprUPZb4NuAvlTwvtonQkJzUOBjgQQiq62fo1:ZEU4NuA9QkyO2im2
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t7`..............P......N......r.... ........@.. .......................`............@................................

                              File Icon

                              Icon Hash:f8c492aaaa92dcfe

                              Static PE Info

                              General

                              Entrypoint:0x4bd872
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x6037748A [Thu Feb 25 09:57:30 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v2.0.50727
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbd8200x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x4b4c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xbb8780xbba00False0.608667138574data7.06854919564IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0xbe0000x4b4c0x4c00False0.487201891447data5.74193482381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xc40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0xbe1c00x468GLS_BINARY_LSB_FIRST
                              RT_ICON0xbe6280x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
                              RT_ICON0xbf6d00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
                              RT_GROUP_ICON0xc1c780x30data
                              RT_GROUP_ICON0xc1ca80x14data
                              RT_VERSION0xc1cbc0x378data
                              RT_MANIFEST0xc20340xb15XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2014
                              Assembly Version3.0.0.0
                              InternalNameSubcategoryMembershipEntry.exe
                              FileVersion3.0.0.0
                              CompanyNameKTV
                              LegalTrademarks
                              Comments
                              ProductNameKTVManagement
                              ProductVersion3.0.0.0
                              FileDescriptionKTVManagement
                              OriginalFilenameSubcategoryMembershipEntry.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Feb 25, 2021 11:43:31.370840073 CET49754587192.168.2.6185.221.216.77
                              Feb 25, 2021 11:43:31.428172112 CET58749754185.221.216.77192.168.2.6
                              Feb 25, 2021 11:43:31.429424047 CET49754587192.168.2.6185.221.216.77
                              Feb 25, 2021 11:43:31.562700033 CET58749754185.221.216.77192.168.2.6
                              Feb 25, 2021 11:43:31.565654993 CET49754587192.168.2.6185.221.216.77
                              Feb 25, 2021 11:43:31.623167992 CET58749754185.221.216.77192.168.2.6
                              Feb 25, 2021 11:43:31.624363899 CET49754587192.168.2.6185.221.216.77
                              Feb 25, 2021 11:43:31.683339119 CET58749754185.221.216.77192.168.2.6
                              Feb 25, 2021 11:43:31.715395927 CET49754587192.168.2.6185.221.216.77
                              Feb 25, 2021 11:43:31.773184061 CET58749754185.221.216.77192.168.2.6
                              Feb 25, 2021 11:43:31.773322105 CET49754587192.168.2.6185.221.216.77

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Feb 25, 2021 11:41:49.699194908 CET5451353192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:49.734250069 CET6204453192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:49.747864962 CET53545138.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:49.785949945 CET53620448.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:51.229141951 CET6379153192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:51.281054974 CET53637918.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:51.926170111 CET6426753192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:51.985377073 CET53642678.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:52.386835098 CET4944853192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:52.449146986 CET53494488.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:53.526319027 CET6034253192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:53.575036049 CET53603428.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:54.992599964 CET6134653192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:55.043550968 CET53613468.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:55.847457886 CET5177453192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:56.861562967 CET5177453192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:57.876817942 CET5177453192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:57.928577900 CET53517748.8.8.8192.168.2.6
                              Feb 25, 2021 11:41:59.229866028 CET5602353192.168.2.68.8.8.8
                              Feb 25, 2021 11:41:59.278750896 CET53560238.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:01.666904926 CET5838453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:01.715954065 CET53583848.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:02.539083958 CET6026153192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:02.588154078 CET53602618.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:03.722847939 CET5606153192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:03.774718046 CET53560618.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:05.102363110 CET5833653192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:05.161025047 CET53583368.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:06.278151989 CET5378153192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:06.327392101 CET53537818.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:07.443907022 CET5406453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:07.493066072 CET53540648.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:08.589304924 CET5281153192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:08.639059067 CET53528118.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:09.869546890 CET5529953192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:09.921233892 CET53552998.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:11.277381897 CET6374553192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:11.326066971 CET53637458.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:12.736093998 CET5005553192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:12.784821987 CET53500558.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:15.552386999 CET6137453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:15.601363897 CET53613748.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:25.583460093 CET5033953192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:25.632186890 CET53503398.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:45.148912907 CET6330753192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:45.210259914 CET53633078.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:45.310525894 CET4969453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:45.361241102 CET53496948.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:47.312665939 CET5498253192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:47.364840984 CET53549828.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:47.882683039 CET5001053192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:47.967247009 CET53500108.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:48.884064913 CET6371853192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:48.944849014 CET53637188.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:49.664988995 CET6211653192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:49.730720043 CET53621168.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:50.479805946 CET6381653192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:50.539237022 CET53638168.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:51.013923883 CET5501453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:51.071263075 CET53550148.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:52.064951897 CET6220853192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:52.129256010 CET53622088.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:53.159595013 CET5757453192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:53.228266954 CET53575748.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:54.146301985 CET5181853192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:54.218048096 CET53518188.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:54.380764008 CET5662853192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:54.440798044 CET53566288.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:56.036001921 CET6077853192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:56.087968111 CET53607788.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:56.758483887 CET5379953192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:56.815855980 CET53537998.8.8.8192.168.2.6
                              Feb 25, 2021 11:42:59.353415966 CET5468353192.168.2.68.8.8.8
                              Feb 25, 2021 11:42:59.414673090 CET53546838.8.8.8192.168.2.6
                              Feb 25, 2021 11:43:30.139228106 CET5932953192.168.2.68.8.8.8
                              Feb 25, 2021 11:43:30.187971115 CET53593298.8.8.8192.168.2.6
                              Feb 25, 2021 11:43:30.871164083 CET6402153192.168.2.68.8.8.8
                              Feb 25, 2021 11:43:30.939100981 CET53640218.8.8.8192.168.2.6
                              Feb 25, 2021 11:43:31.287022114 CET5612953192.168.2.68.8.8.8
                              Feb 25, 2021 11:43:31.352623940 CET53561298.8.8.8192.168.2.6
                              Feb 25, 2021 11:43:32.426588058 CET5817753192.168.2.68.8.8.8
                              Feb 25, 2021 11:43:32.491616964 CET53581778.8.8.8192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Feb 25, 2021 11:43:31.287022114 CET192.168.2.68.8.8.80x73d0Standard query (0)mail.com-cept.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Feb 25, 2021 11:43:31.352623940 CET8.8.8.8192.168.2.60x73d0No error (0)mail.com-cept.com185.221.216.77A (IP address)IN (0x0001)

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Feb 25, 2021 11:43:31.562700033 CET58749754185.221.216.77192.168.2.6220-uksrv3.websiteserverbox.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 05:43:30 -0500
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Feb 25, 2021 11:43:31.565654993 CET49754587192.168.2.6185.221.216.77EHLO 123716
                              Feb 25, 2021 11:43:31.623167992 CET58749754185.221.216.77192.168.2.6250-uksrv3.websiteserverbox.com Hello 123716 [84.17.52.78]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              Feb 25, 2021 11:43:31.624363899 CET49754587192.168.2.6185.221.216.77STARTTLS
                              Feb 25, 2021 11:43:31.683339119 CET58749754185.221.216.77192.168.2.6220 TLS go ahead

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: invoicepdf.exe PID: 6812 Parent PID: 5916

                              General

                              Start time:11:41:58
                              Start date:25/02/2021
                              Path:C:\Users\user\Desktop\invoicepdf.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\invoicepdf.exe'
                              Imagebase:0x2c0000
                              File size:788992 bytes
                              MD5 hash:6F98206E6905F1F727E255D114D3C0AC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.337569981.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.337682468.0000000002ADC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.338574835.0000000003B5E000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 6932 Parent PID: 6812

                              General

                              Start time:11:42:01
                              Start date:25/02/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EuegmryBXVkd' /XML 'C:\Users\user\AppData\Local\Temp\tmp5A9C.tmp'
                              Imagebase:0x1120000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6984 Parent PID: 6932

                              General

                              Start time:11:42:02
                              Start date:25/02/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff61de10000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: invoicepdf.exe PID: 7052 Parent PID: 6812

                              General

                              Start time:11:42:02
                              Start date:25/02/2021
                              Path:C:\Users\user\Desktop\invoicepdf.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\invoicepdf.exe
                              Imagebase:0x480000
                              File size:788992 bytes
                              MD5 hash:6F98206E6905F1F727E255D114D3C0AC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.594160867.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.598124128.0000000002D9F000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.597890821.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Disassembly

                              Code Analysis

                              Reset < >