Loading ...

Play interactive tourEdit tour

Analysis Report Orden_De_Compra_019999_img.exe

Overview

General Information

Sample Name:Orden_De_Compra_019999_img.exe
MD5:cc209b878cb2993332dc05802716ad83
SHA1:c069335fe4a39f64fd0f84b47dae44a832195040
SHA256:b8541f6bb3a95ce34949861ff7224c39c7f207a55801eaa98d421bf3f3a65e98

Most interesting Screenshot:

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Suspicious powershell command line found
Writes to foreign memory regions
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Orden_De_Compra_019999_img.exe (PID: 5060 cmdline: 'C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe' MD5: CC209B878CB2993332DC05802716AD83)
    • powershell.exe (PID: 3896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 940 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.882263652.0000000000422000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.888497000.0000000004131000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.887779335.0000000003F25000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.888931397.000000000437D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 940JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.RegAsm.exe.420000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Orden_De_Compra_019999_img.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: Orden_De_Compra_019999_img.exeVirustotal: Detection: 48%Perma Link
              Source: Orden_De_Compra_019999_img.exeReversingLabs: Detection: 74%

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: Orden_De_Compra_019999_img.exe, u0033ou002b/u0034xu005e.csLarge array initialization: 6o/: array initializer size 58880
              Source: 0.2.Orden_De_Compra_019999_img.exe.860000.0.unpack, u0033ou002b/u0034xu005e.csLarge array initialization: 6o/: array initializer size 58880
              Source: 0.0.Orden_De_Compra_019999_img.exe.860000.0.unpack, u0033ou002b/u0034xu005e.csLarge array initialization: 6o/: array initializer size 58880
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Orden_De_Compra_019999_img.exe
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013CF0C0 CreateProcessAsUserW,
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013CE396
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013CE3A7
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013C9170
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013C915F
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_013CF4EA
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
              Source: Orden_De_Compra_019999_img.exeBinary or memory string: OriginalFilename vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000003.786357497.0000000006B1B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.893526236.0000000006E3B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.882173940.0000000000862000.00000002.00020000.sdmpBinary or memory string: OriginalFilename8000010000000.exe@ vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.891882836.0000000006210000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs Orden_De_Compra_019999_img.exe
              Source: Orden_De_Compra_019999_img.exeBinary or memory string: OriginalFilename8000010000000.exe@ vs Orden_De_Compra_019999_img.exe
              Source: classification engineClassification label: mal92.troj.evad.winEXE@6/7@0/0
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeFile created: C:\Users\user\Desktop\Veladecor_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3036:120:WilError_01
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: Orden_De_Compra_019999_img.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: Orden_De_Compra_019999_img.exeVirustotal: Detection: 48%
              Source: Orden_De_Compra_019999_img.exeReversingLabs: Detection: 74%
              Source: unknownProcess created: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe 'C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: Orden_De_Compra_019999_img.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Orden_De_Compra_019999_img.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Orden_De_Compra_019999_img.exeStatic file information: File size 2458624 > 1048576
              Source: Orden_De_Compra_019999_img.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x257a00
              Source: Orden_De_Compra_019999_img.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb source: Orden_De_Compra_019999_img.exe, 00000000.00000002.893526236.0000000006E3B000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000000.848537856.0000000000042000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: RegAsm.pdb4 source: Orden_De_Compra_019999_img.exe, 00000000.00000002.893526236.0000000006E3B000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000000.848537856.0000000000042000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884333464.0000000002ED0000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_0086228D pushad ; retf
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_00862317 push es; ret
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_008620F9 push ebx; retf
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeCode function: 0_2_06030363 push es; ret

              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeFile opened: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeWindow / User API: threadDelayed 572
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3566
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2177
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe TID: 4980Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe TID: 624Thread sleep count: 572 > 30
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe TID: 4980Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 3566 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 2177 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\Veladecor_order1.jpg
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884135748.0000000001910000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884135748.0000000001910000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884135748.0000000001910000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
              Source: Orden_De_Compra_019999_img.exe, 00000000.00000002.884135748.0000000001910000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeQueries volume information: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exe VolumeInformation
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\Desktop\Orden_De_Compra_019999_img.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.882263652.0000000000422000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.888497000.0000000004131000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.887779335.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.888931397.000000000437D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 940, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Orden_De_Compra_019999_img.exe PID: 5060, type: MEMORY
              Source: Yara matchFile source: 6.2.RegAsm.exe.420000.1.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.882263652.0000000000422000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.888497000.0000000004131000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.887779335.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.888931397.000000000437D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 940, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Orden_De_Compra_019999_img.exe PID: 5060, type: MEMORY
              Source: Yara matchFile source: 6.2.RegAsm.exe.420000.1.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1PowerShell1Hidden Files and Directories1Valid Accounts1Masquerading1Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionValid Accounts1Access Token Manipulation1Hidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection312Valid Accounts1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection312Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.