Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Sample name:a2e-enterprise.26.3.3677.2903.exe
Analysis ID:1407717
MD5:29c3418978dd57c42c7e9530b3aac3d6
SHA1:08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
  • System is w10x64
  • a2e-enterprise.26.3.3677.2903.exe (PID: 7316 cmdline: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe MD5: 29C3418978DD57C42C7E9530B3AAC3D6)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdfJump to behavior
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/disable-group-policy.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/support-request.aspx
Source: Add2ExchangeSetup.msi.0.drString found in binary or memory: http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.drString found in binary or memory: http://www.DidITbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.comopenThe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://aka.ms/ssmsfullsetup
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/abMicrosoft.Office.Experimentation.SendTenantIdToTasMicrosof
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://config.edge.skype.net/config/v1/Officehttps://config.edge.skype.com/config/v1/Office0.0.0.0?
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com/nexus/rules/nexus/upload/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/abclientidRequestGUIDX-MSEdge-IGcorpnetflightReached
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exe
Source: SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/Microsoft_SQL_Server_Express_2022.ini
Source: SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQL2022-SSEI-Expr.exe
Source: SQL12x_to_SQL12xSP4.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLEXPR_x86_ENU_2012SP4.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLServer2008SP4-KB2979596-x86-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SSMS-Setup-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.DidItBetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.diditbetter.com/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.diditbetter.com/support-request.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_004171E0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0041525D
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0041239B
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00419640
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00418D70
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00417EF0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00419E80
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00416F4A
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00418F60
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: String function: 0040540C appears 42 times
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: String function: 004199A0 appears 232 times
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002B14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000000.1748755714.0000000000428000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutolog.exeN vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exeBinary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeSection loaded: apphelp.dll
Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@2/93@0/0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: Add2ExchangeSetup.msi.0.drBinary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile read: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: a2e-enterprise.26.3.3677.2903.exeStatic file information: File size 42987850 > 1048576
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr
Source: setup.exe0.0.drStatic PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: setup.exe.0.drStatic PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_004199A0 push eax; ret
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exeJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: a2e-enterprise.26.3.3677.2903.exeBinary or memory string: ;qEMu
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00404151 __EH_prolog,GetVersionExA,
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
11
Input Capture
1
Security Software Discovery
Remote Services11
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop Protocol1
Archive Collected Data
Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager2
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.