Play interactive tour

Edit tour

Analysis Report NEW-P&I_Circularpdf.exe

Overview

General Information

Sample Name:	NEW-P&I_Circularpdf.exe
Analysis ID:	383960
MD5:	182216a47605c50db6b8796adff4e3f9
SHA1:	06c36b24b2d877600500590d2b57f670d58773fc
SHA256:	408d0b8cf4df11f74ecd574dccdcc5bc7fdf483fce512401e0c767e801815357
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

NEW-P&I_Circularpdf.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe' MD5: 182216A47605C50DB6B8796ADFF4E3F9)

schtasks.exe (PID: 5956 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NEW-P&I_Circularpdf.exe (PID: 5980 cmdline: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe MD5: 182216A47605C50DB6B8796ADFF4E3F9)

NEW-P&I_Circularpdf.exe (PID: 6032 cmdline: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe MD5: 182216A47605C50DB6B8796ADFF4E3F9)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "newadmin@1300dentrepair.com.aumoney123@@@mail.1300dentrepair.com.au"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.670515313.000000000428B000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6840	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW-P&I_Circularpdf.exe.432e540.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW-P&I_Circularpdf.exe.432e540.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe' , ParentImage: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe, ParentProcessId: 6840, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', ProcessId: 5956

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.NEW-P&I_Circularpdf.exe.432e540.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "newadmin@1300dentrepair.com.aumoney123@@@mail.1300dentrepair.com.au"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sfgTsm.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for submitted file

Show sources

Source: NEW-P&I_Circularpdf.exe	Virustotal: Detection: 45%			Perma Link
Source: NEW-P&I_Circularpdf.exe	ReversingLabs: Detection: 22%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sfgTsm.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: NEW-P&I_Circularpdf.exe

Joe Sandbox ML: detected

Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: NEW-P&I_Circularpdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NEW-P&I_Circularpdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 173.237.136.115:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49765 -> 173.237.136.115:587

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 173.237.136.115:587

Source: Joe Sandbox View

IP Address: 173.237.136.115 173.237.136.115

Source: Joe Sandbox View

ASN Name: ASMALLORANGE1US ASMALLORANGE1US

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 173.237.136.115:587

Source: unknown

DNS traffic detected: queries for: mail.1300dentrepair.com.au

Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910607840.000000000341B000.00000004.00000001.sdmp	String found in binary or memory: http://1300dentrepair.com.au
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: http://WArrNU.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910607840.000000000341B000.00000004.00000001.sdmp	String found in binary or memory: http://mail.1300dentrepair.com.au
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668911684.00000000030F1000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000002.668996521.0000000003155000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668996521.0000000003155000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comicFa
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.642100886.000000000618B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.642120228.000000000618B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645737096.000000000617A000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645525062.000000000617C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0dl
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645525062.000000000617C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/T
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645737096.000000000617A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: https://N2oCWMiTpgUuukNONm.com
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.670515313.000000000428B000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9982DCA1u002dA544u002d4D1Cu002d92EDu002d61252D968CF5u007d/D4DAB672u002d2802u002d4500u002dA3A8u002dB16CF8E10964.cs

Large array initialization: .cctor: array initializer size 11972

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Code function: 0_2_07830A70 NtQueryInformationProcess,

0_2_07830A70

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_030AC2B0	0_2_030AC2B0
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_030A99D8	0_2_030A99D8
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07784680	0_2_07784680
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07784430	0_2_07784430
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07786239	0_2_07786239
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07782080	0_2_07782080
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07787FA8	0_2_07787FA8
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07786E28	0_2_07786E28
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07788ED8	0_2_07788ED8
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B631	0_2_0778B631
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B478	0_2_0778B478
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B468	0_2_0778B468
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07784420	0_2_07784420
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B238	0_2_0778B238
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B237	0_2_0778B237
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778F2D8	0_2_0778F2D8
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B018	0_2_0778B018
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778B008	0_2_0778B008
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07789E00	0_2_07789E00
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07788E87	0_2_07788E87
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07789DF3	0_2_07789DF3
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07786DBB	0_2_07786DBB
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778ECA0	0_2_0778ECA0
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07787A10	0_2_07787A10
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0778A928	0_2_0778A928
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07830D6A	0_2_07830D6A
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_0783B3A0	0_2_0783B3A0
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_078363D8	0_2_078363D8
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07836AF0	0_2_07836AF0
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07837108	0_2_07837108
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_078398B9	0_2_078398B9
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07832868	0_2_07832868
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_07837F60	0_2_07837F60

Source: NEW-P&I_Circularpdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfgTsm.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NEW-P&I_Circularpdf.exe	Binary or memory string: OriginalFilename vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelxgPVjCYHXruETfsTJKCQTgBrkYF.exe4 vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.654247974.0000000004259000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680442001.000000000DD40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678597649.0000000007760000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000000.639082381.0000000000D52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680709898.000000000DE40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680709898.000000000DE40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe	Binary or memory string: OriginalFilename vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000007.00000000.665767950.0000000000132000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamelxgPVjCYHXruETfsTJKCQTgBrkYF.exe4 vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000008.00000000.666790676.0000000000A32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.909000081.0000000001320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.908201620.0000000000EF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.908505839.0000000001060000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs NEW-P&I_Circularpdf.exe
Source: NEW-P&I_Circularpdf.exe	Binary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: NEW-P&I_Circularpdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NEW-P&I_Circularpdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sfgTsm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/5@5/1

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File created: C:\Users\user\AppData\Roaming\sfgTsm.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\mFsqSyikpbNYwygWaSyhERzadFT

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBA76.tmp

Jump to behavior

Source: NEW-P&I_Circularpdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: NEW-P&I_Circularpdf.exe	Virustotal: Detection: 45%
Source: NEW-P&I_Circularpdf.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File read: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe'
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: NEW-P&I_Circularpdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NEW-P&I_Circularpdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 0_2_00D55955 push es; ret	0_2_00D55965
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 7_2_00135955 push es; ret	7_2_00135965
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Code function: 8_3_012E9246 pushfd ; retf	8_3_012E9261

Source: initial sample	Static PE information: section name: .text entropy: 7.79009992591
Source: initial sample	Static PE information: section name: .text entropy: 7.79009992591

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File created: C:\Users\user\AppData\Roaming\sfgTsm.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6840, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Window / User API: threadDelayed 1311			Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Window / User API: threadDelayed 8541			Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6844	Thread sleep time: -103195s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 3040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6568	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6580	Thread sleep count: 1311 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6580	Thread sleep count: 8541 > 30	Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 103195	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678923352.0000000007AF5000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: NEW-P&I_Circularpdf.exe	Binary or memory string: Hyper-V RAW
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: NEW-P&I_Circularpdf.exe, 00000008.00000003.890791103.00000000012E1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NEW-P&I_Circularpdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion: