Loading ...

Play interactive tourEdit tour

Analysis Report PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe

Overview

General Information

Sample Name:PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
Analysis ID:286336
MD5:5534d71175a8ddc713bd487ad3c4e4ab
SHA1:d2bf7ba7e59cef3c1b8556b44c9f1ad2845addf4
SHA256:4d6a4c556af5a4e4a05ca5aadb976af1f792bb509cd17cf26aa2ca3081317e3c
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe (PID: 1904 cmdline: 'C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe' MD5: 5534D71175A8DDC713BD487AD3C4E4AB)
    • schtasks.exe (PID: 3408 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.453837241.0000000002C9A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.197070156.0000000003A99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.196670173.0000000002A91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000003.00000002.450779125.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe' , ParentImage: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, ParentProcessId: 1904, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp', ProcessId: 3408

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\nqOncxA.exeVirustotal: Detection: 19%Perma Link
              Source: C:\Users\user\AppData\Roaming\nqOncxA.exeReversingLabs: Detection: 18%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeVirustotal: Detection: 19%Perma Link
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeReversingLabs: Detection: 18%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\nqOncxA.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeJoe Sandbox ML: detected
              Source: 3.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://ACTBLJ.com
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196670173.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.450779125.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.450779125.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453691469.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC921C SetWindowsHookExW 0000000D,00000000,?,?3_2_05EC921C
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196455034.0000000000E5B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_012EC2B00_2_012EC2B0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_012E99900_2_012E9990
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_05C2BC200_2_05C2BC20
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_05C200400_2_05C20040
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_05C200210_2_05C20021
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 0_2_007720500_2_00772050
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011B2D503_2_011B2D50
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011B27683_2_011B2768
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011B1FE03_2_011B1FE0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011BCAD83_2_011BCAD8
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011BEEC83_2_011BEEC8
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011B9DB83_2_011B9DB8
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011D1D483_2_011D1D48
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C46E03_2_012C46E0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C35EC3_2_012C35EC
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C45F03_2_012C45F0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C46703_2_012C4670
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C53B23_2_012C53B2
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012C35E03_2_012C35E0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_012CDA403_2_012CDA40
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC75403_2_05EC7540
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC94F83_2_05EC94F8
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC69283_2_05EC6928
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC25173_2_05EC2517
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC6C703_2_05EC6C70
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_008E20503_2_008E2050
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: nqOncxA.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.201682819.0000000006520000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196070861.000000000081D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuk0L.exe4 vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.201820499.0000000006620000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.201820499.0000000006620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196670173.0000000002A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekROLXjoScvgJCHxNwXDYyTCW.exe4 vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000000.195483070.000000000098D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuk0L.exe4 vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453153526.0000000001220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.450948707.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekROLXjoScvgJCHxNwXDYyTCW.exe4 vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.451526384.0000000000D37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeBinary or memory string: OriginalFilenameuk0L.exe4 vs PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: nqOncxA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: nqOncxA.exe.0.dr, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.770000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.770000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.0.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.8e0000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.8e0000.1.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Roaming\nqOncxA.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAD7.tmpJump to behavior
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeVirustotal: Detection: 19%
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeReversingLabs: Detection: 18%
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile read: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe 'C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011B7A37 push edi; retn 0000h3_2_011B7A39
              Source: initial sampleStatic PE information: section name: .text entropy: 7.30470115304
              Source: initial sampleStatic PE information: section name: .text entropy: 7.30470115304
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile created: \po#2081777 fa2003084 sap s4 hana myc20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile created: \po#2081777 fa2003084 sap s4 hana myc20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Roaming\nqOncxA.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp'
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.196670173.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe PID: 1904, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWindow / User API: threadDelayed 460Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWindow / User API: threadDelayed 435Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 1912Thread sleep time: -52891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 1912Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 3984Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5652Thread sleep count: 460 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5652Thread sleep count: 435 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -56906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -89250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -58188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -58000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -57500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -85032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -56500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -56188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -56000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -82032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -80391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -53188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -52688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -78750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -51594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -51188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -50500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -75141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -49688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -49188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -72891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -48094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -71532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -71250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -69891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -69282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -68250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -44594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -66282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -66000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -42188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -61032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -60750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -59391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -38688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -57750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -37594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -57812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -57312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -55812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -54312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -53812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -52312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -50812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -50312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -48812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -47312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -46812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -46406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -45312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -44406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -43312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -42906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -42688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -41594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -40906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -39406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -39188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -38312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -37406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -37188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -37000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -36812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -36312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -36094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -35906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -34812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -34594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -33906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -32812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -32594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -32406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -32188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -31312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -30406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -30188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe TID: 5312Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeLast function: Thread delayed
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000000.00000002.196737344.0000000002AEE000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_011BCAD8 LdrInitializeThunk,3_2_011BCAD8
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeMemory written: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nqOncxA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD7.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453562138.0000000001700000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453562138.0000000001700000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453562138.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe, 00000003.00000002.453562138.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeCode function: 3_2_05EC5D44 GetUserNameW,3_2_05EC5D44
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.453837241.0000000002C9A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.197070156.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.450779125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe PID: 2112, type: MEMORY
              Source: Yara matchFile source: 3.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081777 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: Process Memory Space: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe PID: 2112, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.453837241.0000000002C9A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.197070156.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.450779125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe PID: 2112, type: MEMORY
              Source: Yara matchFile source: 3.2.PO#2081777 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping1Security Software Discovery321Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion14Input Capture211Virtualization/Sandbox Evasion14Remote Desktop ProtocolInput Capture211Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.