Edit tour

Windows Analysis Report
Purchase Order #2024-030-AC2021,pdf.exe

Overview

General Information

Sample name:	Purchase Order #2024-030-AC2021,pdf.exe
Analysis ID:	1394337
MD5:	f3eb861633087183e550abe76551801f
SHA1:	4b97d4a0ce597cb4dd223b13f1551b5db7a02d26
SHA256:	4e9356141c7e446794e4d4cfcde9187b2232d6c55a512f06be31c0fbab9ab80c
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order #2024-030-AC2021,pdf.exe (PID: 5712 cmdline: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe MD5: F3EB861633087183E550ABE76551801F)

CasPol.exe (PID: 5788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

AddInProcess32.exe (PID: 5444 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "smtp.ionos.com",
  "Username": "salesfire@emisafe.ae",
  "Password": "nM33@e$pe%gg786o"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3259788358.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3259788358.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34253:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3436f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3444b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34571:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x323e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32453:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x324dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3256f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x325d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3264b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x326e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32771:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x323e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32453:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x324dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3256f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x325d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3264b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x326e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32771:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34253:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3436f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3444b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34571:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fa11:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34253:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fa83:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fb0d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3436f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fb9f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fc09:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3444b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fc7b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fd11:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34571:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fda1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x7df41:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x7df99:$e2: Add-MpPreference -ExclusionPath
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x7dcb5:$s1: c:\windows\system32\cmstp.exe 0x7d9fd:$s2: taskkill /IM cmstp.exe /F 0x7d92f:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x7daf3:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x7deeb:$r1: Classes\Folder\shell\open\command 0x7cd35:$k1: DelegateExecute
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x7ce8d:$s1: This file can't run into Virtual Machines 0x7cd95:$s4: Run without emulation 0x7cf63:$s5: Run using valid operating system 0x7cfa5:$v1: SbieDll.dll 0x7cfbd:$v2: USER 0x7dd22:$v2: USER 0x7cfc7:$v3: SANDBOX 0x7cfd7:$v4: VIRUS 0x7d01f:$v4: VIRUS 0x7cfe3:$v5: MALWARE 0x7cff3:$v6: SCHMIDTI 0x7d005:$v7: CURRENTUSER
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x7fd41:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x7fd99:$e2: Add-MpPreference -ExclusionPath
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x7fab5:$s1: c:\windows\system32\cmstp.exe 0x7f7fd:$s2: taskkill /IM cmstp.exe /F 0x7f72f:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x7f8f3:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x7fceb:$r1: Classes\Folder\shell\open\command 0x7eb35:$k1: DelegateExecute
0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x7ec8d:$s1: This file can't run into Virtual Machines 0x7eb95:$s4: Run without emulation 0x7ed63:$s5: Run using valid operating system 0x7eda5:$v1: SbieDll.dll 0x7edbd:$v2: USER 0x7fb22:$v2: USER 0x7edc7:$v3: SANDBOX 0x7edd7:$v4: VIRUS 0x7ee1f:$v4: VIRUS 0x7ede3:$v5: MALWARE 0x7edf3:$v6: SCHMIDTI 0x7ee05:$v7: CURRENTUSER
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x7df41:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x7df99:$e2: Add-MpPreference -ExclusionPath
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x7dcb5:$s1: c:\windows\system32\cmstp.exe 0x7d9fd:$s2: taskkill /IM cmstp.exe /F 0x7d92f:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x7daf3:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x7deeb:$r1: Classes\Folder\shell\open\command 0x7cd35:$k1: DelegateExecute
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x7ce8d:$s1: This file can't run into Virtual Machines 0x7cd95:$s4: Run without emulation 0x7cf63:$s5: Run using valid operating system 0x7cfa5:$v1: SbieDll.dll 0x7cfbd:$v2: USER 0x7dd22:$v2: USER 0x7cfc7:$v3: SANDBOX 0x7cfd7:$v4: VIRUS 0x7d01f:$v4: VIRUS 0x7cfe3:$v5: MALWARE 0x7cff3:$v6: SCHMIDTI 0x7d005:$v7: CURRENTUSER
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x7fd41:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x157161:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x7fd99:$e2: Add-MpPreference -ExclusionPath 0x1571b9:$e2: Add-MpPreference -ExclusionPath
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0x7fab5:$s1: c:\windows\system32\cmstp.exe 0x156ed5:$s1: c:\windows\system32\cmstp.exe 0x7f7fd:$s2: taskkill /IM cmstp.exe /F 0x156c1d:$s2: taskkill /IM cmstp.exe /F 0x7f72f:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x156b4f:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0x7f8f3:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0x156d13:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x7fceb:$r1: Classes\Folder\shell\open\command 0x15710b:$r1: Classes\Folder\shell\open\command 0x7eb35:$k1: DelegateExecute 0x155f55:$k1: DelegateExecute
0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x7ec8d:$s1: This file can't run into Virtual Machines 0x1560ad:$s1: This file can't run into Virtual Machines 0x7eb95:$s4: Run without emulation 0x155fb5:$s4: Run without emulation 0x7ed63:$s5: Run using valid operating system 0x156183:$s5: Run using valid operating system 0x7eda5:$v1: SbieDll.dll 0x1561c5:$v1: SbieDll.dll 0x7edbd:$v2: USER 0x7fb22:$v2: USER 0x1561dd:$v2: USER 0x156f42:$v2: USER 0x7edc7:$v3: SANDBOX 0x1561e7:$v3: SANDBOX 0x7edd7:$v4: VIRUS 0x7ee1f:$v4: VIRUS 0x1561f7:$v4: VIRUS 0x15623f:$v4: VIRUS 0x7ede3:$v5: MALWARE 0x156203:$v5: MALWARE 0x7edf3:$v6: SCHMIDTI
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 74.208.5.2, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 5444, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Exploits
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540Cu	Avira URL Cloud: Label: malware
Source: https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540	Avira URL Cloud: Label: malware
Source: https://heygirlisheeverythingyouwantedinaman.com	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.com", "Username": "salesfire@emisafe.ae", "Password": "nM33@e$pe%gg786o"}

Multi AV Scanner detection for domain / URL

Source: heygirlisheeverythingyouwantedinaman.com	Virustotal: Detection: 11%	Perma Link
Source: https://heygirlisheeverythingyouwantedinaman.com	Virustotal: Detection: 5%	Perma Link
Source: https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order #2024-030-AC2021,pdf.exe	ReversingLabs: Detection: 34%
Source: Purchase Order #2024-030-AC2021,pdf.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for sample

Source: Purchase Order #2024-030-AC2021,pdf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: $%5'$:
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: `R cvJW&H(D(WAG
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: cSXU]QyT~SXU]LyTcSEU]QyIcSXU]QyTcSXU
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: '6(=$7o
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: vFCY,)-
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack	String decryptor: rUB]TYSE

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 172.67.190.93:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\_RU\WeAreChmnet\WeGonnaDOIT\obj\Debug\WeGonnaDOIT.pdb source: Purchase Order #2024-030-AC2021,pdf.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 74.208.5.2:587

Source: global traffic	HTTP traffic detected: GET /get/65ce47b5a46777f9cb231540 HTTP/1.1Host: heygirlisheeverythingyouwantedinaman.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.190.93 172.67.190.93

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 74.208.5.2:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /get/65ce47b5a46777f9cb231540 HTTP/1.1Host: heygirlisheeverythingyouwantedinaman.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: heygirlisheeverythingyouwantedinaman.com

Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258759420.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.c4
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258759420.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.0000000003051000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.ionos.com
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258759420.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.geotrust.com0
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258759420.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://heygirlisheeverythingyouwantedinaman.com
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2035942363.00000000012A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540Cu
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3258172393.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 172.67.190.93:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, hxAF.cs	.Net Code: i3iE6is4Y
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, hxAF.cs	.Net Code: i3iE6is4Y

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order #2024-030-AC2021,pdf.exe

Sample has a suspicious name (potential lure to open the executable)

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Code function: 0_2_014CD5C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00CCA8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00CC4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00CC3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00CCEE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00CC41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_062EC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_062EB174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_062EE290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_062EAE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06366690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0636B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0636C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06365270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0636B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06363128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06367E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06367740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0636E438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06362438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06360006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06360040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0636597B

Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000000.2010286322.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWeGonnaDOIT.exe8 vs Purchase Order #2024-030-AC2021,pdf.exe
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec8c2ad0c-0f4e-428b-a14d-0a42ac8054b9.exe4 vs Purchase Order #2024-030-AC2021,pdf.exe
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2035942363.000000000126E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order #2024-030-AC2021,pdf.exe
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOfanepowamifovekucocu8 vs Purchase Order #2024-030-AC2021,pdf.exe
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.00000000030A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec8c2ad0c-0f4e-428b-a14d-0a42ac8054b9.exe4 vs Purchase Order #2024-030-AC2021,pdf.exe
Source: Purchase Order #2024-030-AC2021,pdf.exe	Binary or memory string: OriginalFilenameWeGonnaDOIT.exe8 vs Purchase Order #2024-030-AC2021,pdf.exe

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll

Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, ConcurrentCollectionSyncRootNotSupportedAsR8.cs	Task registration methods: 'TaskWaitMultiNullTaskCreateBillboard'
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, ConcurrentCollectionSyncRootNotSupportedAsR8.cs	Task registration methods: 'TaskWaitMultiNullTaskCreateBillboard'

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, TaskCompletionSource1WithCancellation.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, TaskCompletionSource1WithCancellation.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, TaskCompletionSource1WithCancellation.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, TaskCompletionSource1WithCancellation.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@5/1@3/3

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order #2024-030-AC2021,pdf.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Mutant created: NULL

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Purchase Order #2024-030-AC2021,pdf.exe	ReversingLabs: Detection: 34%
Source: Purchase Order #2024-030-AC2021,pdf.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\_RU\WeAreChmnet\WeGonnaDOIT\obj\Debug\WeGonnaDOIT.pdb source: Purchase Order #2024-030-AC2021,pdf.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, ConcurrentCollectionSyncRootNotSupportedAsR8.cs	.Net Code: GetTimestampTaskAwaiter1
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, ConcurrentCollectionSyncRootNotSupportedAsR8.cs	.Net Code: GetTimestampTaskAwaiter1

Source: Purchase Order #2024-030-AC2021,pdf.exe

Static PE information: 0xBE695D8E [Thu Mar 26 06:17:50 2071 UTC]

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Code function: 0_2_014CF170 push eax; iretd

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Memory allocated: 5050000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Memory allocated: 8CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Memory allocated: 9CA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28C0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_06363C7B rdtsc

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Window / User API: threadDelayed 874
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Window / User API: threadDelayed 1657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2763

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99764s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99411s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99296s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99187s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -99052s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -98909s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 4416	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 2700	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe TID: 2260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1848	Thread sleep count: 571 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1848	Thread sleep count: 2763 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -99109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -98218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 320	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99764
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99411
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99296
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99187
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 99052
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 98909
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 98671
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxARun using valid operating system
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: AddInProcess32.exe, 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2036239525.000000000134A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_00CC70A0 CheckRemoteDebuggerPresent,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_06363C7B rdtsc

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	.Net Code: MemberNameFileAllocationInformation contains injection code
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.96b9860.2.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	.Net Code: MemberNameFileAllocationInformation contains injection code

.NET source code references suspicious native API functions

Source: Purchase Order #2024-030-AC2021,pdf.exe, YateList.cs	Reference to suspicious API methods: NativeMethodsH.GetProcAddress(moduleHandle, global::_003CModule_003E.ownedMemoryTryWriteUInt16BigEndian("CastHelpersShiftRightArithmeticRoundedAdd"))
Source: Purchase Order #2024-030-AC2021,pdf.exe, YateList.cs	Reference to suspicious API methods: NativeMethodsH.VirtualProtect(procAddress, source.Length, 64u, out var oldProtect)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Reference to suspicious API methods: VirtualAllocEx(TryFormatInt32DXNNY.IsEvenIntegerReleaseAllResources, num2, writeTimeoutToTitleCase, 12288, 64)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.9790c80.3.raw.unpack, SetLocalSignaturegetIsGenericTypeDefinition.cs	Reference to suspicious API methods: NtWriteVirtualMemory(TryFormatInt32DXNNY.IsEvenIntegerReleaseAllResources, (IntPtr)num4, DXMNNKoreanLunisolarCalendar, createTypegetWaitingWriteCount, out var ShiftRightArithmeticRoundedgetCharSet)
Source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, oZQpaCyO4.cs	Reference to suspicious API methods: sHbn6juxSv.OpenProcess(ZHKsyD.DuplicateHandle, bInheritHandle: true, (uint)gmSjiIkP2.ProcessID)

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5444, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5444, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.42b0a50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order #2024-030-AC2021,pdf.exe.4275220.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order #2024-030-AC2021,pdf.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5444, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	1 Obfuscated Files or Information	1 Credentials in Registry	541 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	261 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order #2024-030-AC2021,pdf.exe	34%	ReversingLabs	Win32.Trojan.Tnega
Purchase Order #2024-030-AC2021,pdf.exe	68%	Virustotal		Browse
Purchase Order #2024-030-AC2021,pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
smtp.ionos.com	1%	Virustotal		Browse
heygirlisheeverythingyouwantedinaman.com	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://smtp.ionos.com	1%	Virustotal		Browse
https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540Cu	100%	Avira URL Cloud	malware
http://cdp.geotrust.c4	0%	Avira URL Cloud	safe
https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540	100%	Avira URL Cloud	malware
https://heygirlisheeverythingyouwantedinaman.com	100%	Avira URL Cloud	malware
http://smtp.ionos.com	0%	Avira URL Cloud	safe
https://heygirlisheeverythingyouwantedinaman.com	5%	Virustotal		Browse
https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.ionos.com	74.208.5.2	true	true	1%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false		high
heygirlisheeverythingyouwantedinaman.com	172.67.190.93	true	false	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://heygirlisheeverythingyouwantedinaman.com/get/65ce47b5a46777f9cb231540Cu	Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2035942363.00000000012A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://smtp.ionos.com	AddInProcess32.exe, 00000004.00000002.3259788358.0000000002C04000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.0000000003051000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cdp.geotrust.c4	AddInProcess32.exe, 00000004.00000002.3264891247.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://heygirlisheeverythingyouwantedinaman.com	Purchase Order #2024-030-AC2021,pdf.exe, 00000000.00000002.2037028159.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ip-api.com	AddInProcess32.exe, 00000004.00000002.3259788358.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
172.67.190.93	heygirlisheeverythingyouwantedinaman.com	United States	13335	CLOUDFLARENETUS	false
74.208.5.2	smtp.ionos.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1394337
Start date and time:	2024-02-19 09:53:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order #2024-030-AC2021,pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@5/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:53:54	API Interceptor	14x Sleep call for process: Purchase Order #2024-030-AC2021,pdf.exe modified
09:53:57	API Interceptor	17x Sleep call for process: AddInProcess32.exe modified

Process:	C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1513
Entropy (8bit):	5.350429166386848
Encrypted:	false
SSDEEP:	24:ML9Xyr4wE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4q4E4Tyu84j:MpicwHK5HKH1qHiYHKh3oPtHo6hAHKzH
MD5:	465EFCC6D66470A531259A6D9417A6CB
SHA1:	7CEB25C7612B289039BDE035469641A0B10D1C68
SHA-256:	B48406D6C730A07C17712C21F925C30E16CE2715C52612AAC308CCE29351F440
SHA-512:	B47E0979A658758A0F1B643EE3F85B92046B94B73AE0143341F985B7832D86E18158EE108BF5C6CBE9840EF50C0E9E33557685D9D0B165EE4A6576E41D6A8BA2
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"netstandard, Version=2.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.440296696297883
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order #2024-030-AC2021,pdf.exe
File size:	26'112 bytes
MD5:	f3eb861633087183e550abe76551801f
SHA1:	4b97d4a0ce597cb4dd223b13f1551b5db7a02d26
SHA256:	4e9356141c7e446794e4d4cfcde9187b2232d6c55a512f06be31c0fbab9ab80c
SHA512:	2f9ee7321d45fe4d2af10e23789e0258008e2e6eaca6445855a28bfc4fa3557f8c94e3e58754a9999a76f3763b225bf87f016a2c3e3a1769db3742ea9547f5a8
SSDEEP:	384:WnI2V8g892qoKLgiUda3SOj+66uXx9xf8zMA9kSjIPJmuklPTVxQ7J:WxV8g892XKNx3ptXnJmuaPTQ
TLSH:	2CC22C0AA3D8833BC99F0FB7D9A6191027B9D656EF83E75D86CCB8721B333D141112A5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]i..........."...0.<Z..........6z... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x407a36
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBE695D8E [Thu Mar 26 06:17:50 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7960	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x79aa	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5a3c	0x5c00	75379ab70858e6b5cc9e2217893cff85	False	0.48178498641304346	data	5.601267915521747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x5b6	0x600	3b6c35e12e4be6e6fd4f3ceadef6aa66	False	0.41796875	data	4.121194235215341	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	561a7af5fe929713baecb880e7a4c206	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x32c	data			0.4236453201970443
RT_MANIFEST	0x83cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

Total Packets: 42
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2024 09:53:55.786500931 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:55.786555052 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:55.786634922 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:55.811161995 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:55.811197996 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.014812946 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.015022993 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.018618107 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.018630028 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.019089937 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.073853970 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.125669003 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.165908098 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449342012 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449400902 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449429035 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449448109 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.449460030 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449472904 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449498892 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.449523926 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449557066 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.449572086 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449609995 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.449645996 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.449652910 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.450335979 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.450356007 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.450387955 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.450393915 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.450432062 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.524158955 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524210930 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524250031 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524272919 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524271011 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.524297953 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524327040 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.524333000 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.524379969 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.524384975 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525031090 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525070906 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525079966 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.525088072 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525114059 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525125980 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.525131941 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.525172949 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.525177956 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526022911 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526045084 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526062965 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.526071072 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526093960 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526115894 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526118994 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.526125908 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526173115 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.526770115 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526808023 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526817083 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.526822090 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.526896000 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.600133896 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600178957 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600203037 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600224018 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.600236893 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600250959 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600285053 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.600682974 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600728035 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.600739002 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.600776911 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.601588011 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.601619005 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.601639032 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.601644993 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.601691961 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.602289915 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.602334023 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.602396011 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.602442980 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.611901045 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.611958981 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.611985922 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.612029076 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.612819910 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.612865925 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.613121986 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.613168001 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.613784075 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.613830090 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.613873005 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.613917112 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.614554882 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.614600897 CET	443	49706	172.67.190.93	192.168.2.5
Feb 19, 2024 09:53:56.614607096 CET	49706	443	192.168.2.5	172.67.190.93
Feb 19, 2024 09:53:56.614615917 CET	443	49706	172.67.190.93	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2024 09:53:55.630465031 CET	54707	53	192.168.2.5	1.1.1.1
Feb 19, 2024 09:53:55.773751020 CET	53	54707	1.1.1.1	192.168.2.5
Feb 19, 2024 09:53:57.837727070 CET	59701	53	192.168.2.5	1.1.1.1
Feb 19, 2024 09:53:57.925973892 CET	53	59701	1.1.1.1	192.168.2.5
Feb 19, 2024 09:53:58.969491959 CET	53583	53	192.168.2.5	1.1.1.1
Feb 19, 2024 09:53:59.058597088 CET	53	53583	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2024 09:53:55.630465031 CET	192.168.2.5	1.1.1.1	0x6508	Standard query (0)	heygirlisheeverythingyouwantedinaman.com	A (IP address)	IN (0x0001)	false
Feb 19, 2024 09:53:57.837727070 CET	192.168.2.5	1.1.1.1	0x5e0c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Feb 19, 2024 09:53:58.969491959 CET	192.168.2.5	1.1.1.1	0x11f0	Standard query (0)	smtp.ionos.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 19, 2024 09:53:55.773751020 CET	1.1.1.1	192.168.2.5	0x6508	No error (0)	heygirlisheeverythingyouwantedinaman.com	172.67.190.93	A (IP address)	IN (0x0001)	false
Feb 19, 2024 09:53:55.773751020 CET	1.1.1.1	192.168.2.5	0x6508	No error (0)	heygirlisheeverythingyouwantedinaman.com	104.21.57.121	A (IP address)	IN (0x0001)	false
Feb 19, 2024 09:53:57.925973892 CET	1.1.1.1	192.168.2.5	0x5e0c	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Feb 19, 2024 09:53:59.058597088 CET	1.1.1.1	192.168.2.5	0x11f0	No error (0)	smtp.ionos.com	74.208.5.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

heygirlisheeverythingyouwantedinaman.com

ip-api.com

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 19, 2024 09:53:59.315932035 CET	587	49709	74.208.5.2	192.168.2.5	220 perfora.net (mreueus002) Nemesis ESMTP Service ready
Feb 19, 2024 09:53:59.316338062 CET	49709	587	192.168.2.5	74.208.5.2	EHLO 114127
Feb 19, 2024 09:53:59.446036100 CET	587	49709	74.208.5.2	192.168.2.5	250-perfora.net Hello 114127 [191.96.227.222] 250-8BITMIME 250-SIZE 140000000 250 STARTTLS
Feb 19, 2024 09:53:59.446304083 CET	49709	587	192.168.2.5	74.208.5.2	STARTTLS
Feb 19, 2024 09:53:59.573797941 CET	587	49709	74.208.5.2	192.168.2.5	220 OK

Statistics

Behavior

• Purchase Order #2024-030-AC2021,pdf.exe
• CasPol.exe
• AddInProcess32.exe

Click to jump to process

Target ID:	0
Start time:	09:53:53
Start date:	19/02/2024
Path:	C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Purchase Order #2024-030-AC2021,pdf.exe
Imagebase:	0xc50000
File size:	26'112 bytes
MD5 hash:	F3EB861633087183E550ABE76551801F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2039148107.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2039148107.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2049839292.000000000935C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	09:53:55
Start date:	19/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Imagebase:	0x2a0000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: AddInProcess32.exePID: 5444, Parent PID: 5712

General

Target ID:	4
Start time:	09:53:55
Start date:	19/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Imagebase:	0x740000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3259788358.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3259788358.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3257225314.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3259788358.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order #2024-030-AC2021,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order #2024-030-AC2021,pdf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Purchase Order #2024-030-AC2021,pdf.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre