Loading ...

Play interactive tourEdit tour

Analysis Report NEW-P&I_Circularpdf.exe

Overview

General Information

Sample Name:NEW-P&I_Circularpdf.exe
Analysis ID:383960
MD5:182216a47605c50db6b8796adff4e3f9
SHA1:06c36b24b2d877600500590d2b57f670d58773fc
SHA256:408d0b8cf4df11f74ecd574dccdcc5bc7fdf483fce512401e0c767e801815357
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • NEW-P&I_Circularpdf.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe' MD5: 182216A47605C50DB6B8796ADFF4E3F9)
    • schtasks.exe (PID: 5956 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW-P&I_Circularpdf.exe (PID: 5980 cmdline: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe MD5: 182216A47605C50DB6B8796ADFF4E3F9)
    • NEW-P&I_Circularpdf.exe (PID: 6032 cmdline: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe MD5: 182216A47605C50DB6B8796ADFF4E3F9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "newadmin@1300dentrepair.com.aumoney123@@@mail.1300dentrepair.com.au"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.670515313.000000000428B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.NEW-P&I_Circularpdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.NEW-P&I_Circularpdf.exe.432e540.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.NEW-P&I_Circularpdf.exe.432e540.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe' , ParentImage: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe, ParentProcessId: 6840, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp', ProcessId: 5956

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.NEW-P&I_Circularpdf.exe.432e540.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "newadmin@1300dentrepair.com.aumoney123@@@mail.1300dentrepair.com.au"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\sfgTsm.exeReversingLabs: Detection: 22%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: NEW-P&I_Circularpdf.exeVirustotal: Detection: 45%Perma Link
                  Source: NEW-P&I_Circularpdf.exeReversingLabs: Detection: 22%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\sfgTsm.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: NEW-P&I_Circularpdf.exeJoe Sandbox ML: detected
                  Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 173.237.136.115:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49765 -> 173.237.136.115:587
                  Source: global trafficTCP traffic: 192.168.2.4:49764 -> 173.237.136.115:587
                  Source: Joe Sandbox ViewIP Address: 173.237.136.115 173.237.136.115
                  Source: Joe Sandbox ViewASN Name: ASMALLORANGE1US ASMALLORANGE1US
                  Source: global trafficTCP traffic: 192.168.2.4:49764 -> 173.237.136.115:587
                  Source: unknownDNS traffic detected: queries for: mail.1300dentrepair.com.au
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910607840.000000000341B000.00000004.00000001.sdmpString found in binary or memory: http://1300dentrepair.com.au
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://WArrNU.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910607840.000000000341B000.00000004.00000001.sdmpString found in binary or memory: http://mail.1300dentrepair.com.au
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668911684.00000000030F1000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000002.668996521.0000000003155000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668996521.0000000003155000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.677713745.000000000617A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicFa
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.642100886.000000000618B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.642120228.000000000618B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645737096.000000000617A000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645525062.000000000617C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645181408.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0dl
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645525062.000000000617C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000000.00000003.645558257.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/T
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645737096.000000000617A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.645321880.0000000006175000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678400926.0000000007382000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://N2oCWMiTpgUuukNONm.com
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.670515313.000000000428B000.00000004.00000001.sdmp, NEW-P&I_Circularpdf.exe, 00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.910158370.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9982DCA1u002dA544u002d4D1Cu002d92EDu002d61252D968CF5u007d/D4DAB672u002d2802u002d4500u002dA3A8u002dB16CF8E10964.csLarge array initialization: .cctor: array initializer size 11972
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07830A70 NtQueryInformationProcess,0_2_07830A70
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_030AC2B00_2_030AC2B0
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_030A99D80_2_030A99D8
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_077846800_2_07784680
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_077844300_2_07784430
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_077862390_2_07786239
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_077820800_2_07782080
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07787FA80_2_07787FA8
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07786E280_2_07786E28
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07788ED80_2_07788ED8
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B6310_2_0778B631
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B4780_2_0778B478
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B4680_2_0778B468
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_077844200_2_07784420
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B2380_2_0778B238
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B2370_2_0778B237
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778F2D80_2_0778F2D8
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B0180_2_0778B018
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778B0080_2_0778B008
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07789E000_2_07789E00
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07788E870_2_07788E87
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07789DF30_2_07789DF3
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07786DBB0_2_07786DBB
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778ECA00_2_0778ECA0
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07787A100_2_07787A10
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0778A9280_2_0778A928
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07830D6A0_2_07830D6A
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_0783B3A00_2_0783B3A0
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_078363D80_2_078363D8
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07836AF00_2_07836AF0
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_078371080_2_07837108
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_078398B90_2_078398B9
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_078328680_2_07832868
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_07837F600_2_07837F60
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: sfgTsm.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: NEW-P&I_Circularpdf.exeBinary or memory string: OriginalFilename vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelxgPVjCYHXruETfsTJKCQTgBrkYF.exe4 vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000003.654247974.0000000004259000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680442001.000000000DD40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678597649.0000000007760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000000.639082381.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680709898.000000000DE40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.680709898.000000000DE40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exeBinary or memory string: OriginalFilename vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000007.00000000.665767950.0000000000132000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.907967195.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamelxgPVjCYHXruETfsTJKCQTgBrkYF.exe4 vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000000.666790676.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.909000081.0000000001320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.908201620.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000002.908505839.0000000001060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs NEW-P&I_Circularpdf.exe
                  Source: NEW-P&I_Circularpdf.exeBinary or memory string: OriginalFilenameIComparable.exe< vs NEW-P&I_Circularpdf.exe
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: sfgTsm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 8.2.NEW-P&I_Circularpdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@5/1
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile created: C:\Users\user\AppData\Roaming\sfgTsm.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeMutant created: \Sessions\1\BaseNamedObjects\mFsqSyikpbNYwygWaSyhERzadFT
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBA76.tmpJump to behavior
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: NEW-P&I_Circularpdf.exeVirustotal: Detection: 45%
                  Source: NEW-P&I_Circularpdf.exeReversingLabs: Detection: 22%
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile read: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe 'C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe'
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: NEW-P&I_Circularpdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 0_2_00D55955 push es; ret 0_2_00D55965
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 7_2_00135955 push es; ret 7_2_00135965
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeCode function: 8_3_012E9246 pushfd ; retf 8_3_012E9261
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.79009992591
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.79009992591
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile created: C:\Users\user\AppData\Roaming\sfgTsm.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sfgTsm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA76.tmp'
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW-P&I_Circularpdf.exe PID: 6840, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWindow / User API: threadDelayed 1311Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWindow / User API: threadDelayed 8541Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6844Thread sleep time: -103195s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 3040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6568Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6580Thread sleep count: 1311 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exe TID: 6580Thread sleep count: 8541 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 103195Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.678923352.0000000007AF5000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: NEW-P&I_Circularpdf.exeBinary or memory string: Hyper-V RAW
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: NEW-P&I_Circularpdf.exe, 00000008.00000003.890791103.00000000012E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: NEW-P&I_Circularpdf.exe, 00000000.00000002.668971601.000000000313C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\NEW-P&I_Circularpdf.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion: