Windows Analysis Report
Eaton PO-45150292964.exe

Overview

General Information

Sample name:	Eaton PO-45150292964.exe
Analysis ID:	1427169
MD5:	3a64b763c78291700bd114bfc3ecdde3
SHA1:	7260be2d4cf3fbcf231e94a84c8f3cf252163c89
SHA256:	8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Multi AV Scanner detection for submitted file

Source: Eaton PO-45150292964.exe	ReversingLabs: Detection: 39%
Source: Eaton PO-45150292964.exe	Virustotal: Detection: 52%			Perma Link

Machine Learning detection for sample

Source: Eaton PO-45150292964.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Eaton PO-45150292964.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: Eaton PO-45150292964.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 46.175.148.58:25

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv
Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv
Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Eaton PO-45150292964.exe

Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 0_2_04A50054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,		0_2_04A50054
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 0_2_04A50000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,		0_2_04A50000

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FD4A98	6_2_00FD4A98
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FDADF0	6_2_00FDADF0
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FD3E80	6_2_00FD3E80
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FD41C8	6_2_00FD41C8
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06683578	6_2_06683578
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06685D30	6_2_06685D30
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_066845A0	6_2_066845A0
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06681030	6_2_06681030
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_0668E0B9	6_2_0668E0B9
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_0668A140	6_2_0668A140
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_066891E0	6_2_066891E0
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06685650	6_2_06685650
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_0668C618	6_2_0668C618
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06683C8F	6_2_06683C8F
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_06680328	6_2_06680328

Source: Eaton PO-45150292964.exe, 00000000.00000002.1994771331.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe, 00000000.00000000.1967800956.0000000000298000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecBvCffO.exe< vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe, 00000006.00000002.4449730524.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
Source: Eaton PO-45150292964.exe	Binary or memory string: OriginalFilenamecBvCffO.exe< vs Eaton PO-45150292964.exe

Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Eaton PO-45150292964.exe, tyFJ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2764

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 80
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 0_2_00C30015 push ss; ret	0_2_00C3001E
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FD0B4D push edi; ret	6_2_00FD0CC2
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Code function: 6_2_00FD0C95 push edi; retf	6_2_00FD0C3A

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: 4560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Window / User API: threadDelayed 649			Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Window / User API: threadDelayed 9211			Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 5356	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 5356	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 2716	Thread sleep count: 649 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 2716	Thread sleep count: 9211 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -94922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -94811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -94699s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760	Thread sleep time: -94594s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Users\user\Desktop\Eaton PO-45150292964.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Users\user\Desktop\Eaton PO-45150292964.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Windows Analysis Report Eaton PO-45150292964.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Eaton PO-45150292964.exe

Malware Threat Intel
Provided by

Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Eaton PO-45150292964.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Eaton PO-45150292964.exe PID: 4512, type: MEMORYSTR

Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true

ID:	1427169
Product:	CloudBasic
Start time:	07:13:04
Start date:	17.04.2024
Sample:	Eaton PO-45150292964.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3a64b763c78291700bd114bfc3ecdde3
SHA1:	7260be2d4cf3fbcf231e94a84c8f3cf252163c89
SHA256:	8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%