Loading ...

Play interactive tourEdit tour

Analysis Report https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file

Overview

General Information

Sample URL:https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 4812 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 4304 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • unarchiver.exe (PID: 556 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 5008 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 4880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3292 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • EXONE 2606202201.exe (PID: 2912 cmdline: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe MD5: 1F41D32746736E756CAA7FABAB427069)
        • InstallUtil.exe (PID: 4824 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "sc9Tzx", "URL: ": "https://CJitfB1Uzswh2q.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "TnQoXftkkwAqNuG", "From: ": "david01smith@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.524492905.000000000B8A4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000003.499202454.000000000B1DD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000003.498038066.000000000B88A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000003.497188685.000000000B1C5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000003.497834664.000000000B852000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: InstallUtil.exe.4824.12.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "sc9Tzx", "URL: ": "https://CJitfB1Uzswh2q.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "TnQoXftkkwAqNuG", "From: ": "david01smith@yandex.com"}
              Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027A097Fh
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027A097Eh

              Source: global trafficTCP traffic: 192.168.2.6:49723 -> 77.88.21.158:587
              Source: unknownDNS traffic detected: queries for: www.mediafire.com
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.421627199.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl/8
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comED
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comer
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comED
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comSk
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: InstallUtil.exe, 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: InstallUtil.exe, 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://CJitfB1Uzswh2q.org
              Source: cmdline.out.2.drString found in binary or memory: https://download2264.mediafire.com/emyw4xtvecig/xuk5d6qwx9yx9bf/EXONE
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com
              Source: wget.exe, 00000002.00000002.422231659.0000000000140000.00000004.00000020.sdmp, cmdline.out.2.drString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileHD
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileID
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileND
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058291E0 CreateProcessAsUserW,
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_027A02A8
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_027A0299
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058291E0
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582053B
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823D48
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05820548
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_00E420B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0172FB30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0172FB20
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF3A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A83F0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A0040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AE788
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A2460
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AEAD0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF8A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A2F40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A3C08
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A83E0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A0006
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A4031
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A74D9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A7965
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF891
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A78C1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A2E53
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06586FB0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06583D90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06586250
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F3D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F1D8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582E57
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582E0D
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658263F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582EEB
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582EA1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582F7F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582F35
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DF98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06581CFE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582492
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582C8E
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582D79
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582D2F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582521
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582DC3
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06583D80
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_065825B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658229A
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582AB7
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F3C0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06581B9B
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582021
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_065820F4
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F1C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582180
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661E360
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661C850
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066106C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661B3D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066DCF98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066D7F30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E3A38
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED2DE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EEAA1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E3348
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED7F0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E0040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EB0E8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EC8A8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E98B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED4B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EA570
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E8508
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E25C0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E6248
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E3A28
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E6239
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E5ACA
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED7E0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E2C60
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E2C70
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E98A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E1C88
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EA561
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E6956
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E5D08
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E711F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E25B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E5986
              Source: classification engineClassification label: mal100.troj.spyw.evad.win@15/9@4/3
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2572:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_01
              Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\4b2znvou.fsaJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' > cmdline.out 2>&1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file'
              Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file'
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000C.00000002.847568539.0000000000E42000.00000002.00020000.sdmp, InstallUtil.exe.9.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.9.dr

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_00B62800 push edi; ret
              Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_00D6CA70 pushad ; retf
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_00F6694C push esi; iretd
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058235B2 push 8B02EB67h; ret
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823112 push 8B02EB67h; ret
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05826921 push 8B02EB67h; ret
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582392B push 8BF88B67h; iretd
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823534 push 8B02EB67h; ret
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05824458 pushad ; iretd
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582372B push 8B02EB67h; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE41 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE45 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE45 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE1B push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE1D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE39 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE3D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE31 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE35 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE29 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE2D push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE21 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE25 push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A6CD push es; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A6F9 push es; ret

              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
              Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile opened: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe:Zone.Identifier read attributes | delete
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: EXONE 2606202201.exe, 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 784
              Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4548Thread sleep count: 232 > 30
              Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4548Thread sleep time: -116000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 4576Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 4412Thread sleep count: 176 > 30
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 1560Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1788Thread sleep count: 784 > 30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -55500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -46500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -35500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -34000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -30500s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_00B6B042 GetSystemInfo,
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: EXONE 2606202201.exe, 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: InstallUtil.exe, 0000000C.00000002.853204000.00000000067D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E90 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 448000
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 44A000
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 1164008
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580878 GetUserNameW,
              Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000009.00000002.524492905.000000000B8A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.499202454.000000000B1DD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.498038066.000000000B88A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.497188685.000000000B1C5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.497834664.000000000B852000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.498220056.000000000B8A3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.520354454.0000000004B11000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.519238298.0000000004AA6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.847453206.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4824, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: EXONE 2606202201.exe PID: 2912, type: MEMORY
              Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqlite
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4824, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000009.00000002.524492905.000000000B8A4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.499202454.000000000B1DD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.498038066.000000000B88A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.497188685.000000000B1C5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.497834664.000000000B852000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.498220056.000000000B8A3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.520354454.0000000004B11000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.519238298.0000000004AA6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.847453206.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4824, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: EXONE 2606202201.exe PID: 2912, type: MEMORY
              Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1Windows Management Instrumentation211Hidden Files and Directories1Valid Accounts1Software Packing1Credential Dumping2Account Discovery1Application Deployment SoftwareData from Local System2Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaGraphical User Interface1Valid Accounts1Access Token Manipulation1Disabling Security Tools1Credentials in Registry1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection312Obfuscated Files or Information2Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesSystem Information Discovery115Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessHidden Files and Directories1Account ManipulationVirtualization/Sandbox Evasion13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceValid Accounts1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion13Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection312Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET