Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE

Overview

General Information

Sample Name:USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
Analysis ID:321120
MD5:5d3d23738b2b4bb1f7fe3371ea7ecc76
SHA1:4e72608c340c7b18f4ff359552da57c9dee29e99
SHA256:21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
Tags:EXEHSBCModiLoader

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Owdpdrv.exe (PID: 6760 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe' MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
    • Owdpdrv.exe (PID: 4800 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
  • Owdpdrv.exe (PID: 6872 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe' MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "PQTF8kmaji", "URL: ": "http://WuQXJFerpNu.net", "To: ": "Crystal@suncurepelletmill.com", "ByHost: ": "mail.suncurepelletmill.com:587", "Password: ": "Y4nU5SbKWMVNWw", "From: ": "Crystal@suncurepelletmill.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\pdwO.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\pdwO.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\pdwO.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000003.767263953.00000000004C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.935842915.0000000004F00000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.935435728.0000000003471000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
          • 0xde8:$file: URL=
          • 0xdcc:$url_explicit: [InternetShortcut]
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.Owdpdrv.exe.4f00000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.Owdpdrv.exe.4f00000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4460.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "PQTF8kmaji", "URL: ": "http://WuQXJFerpNu.net", "To: ": "Crystal@suncurepelletmill.com", "ByHost: ": "mail.suncurepelletmill.com:587", "Password: ": "Y4nU5SbKWMVNWw", "From: ": "Crystal@suncurepelletmill.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeReversingLabs: Detection: 16%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEVirustotal: Detection: 26%Perma Link
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEReversingLabs: Detection: 16%
                    Source: 5.2.Owdpdrv.exe.2c50000.6.unpackAvira: Label: TR/Hijacker.Gen
                    Source: 1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2df0000.5.unpackAvira: Label: TR/Hijacker.Gen
                    Source: 1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2e90000.6.unpackAvira: Label: TR/Dropper.Gen
                    Source: 5.2.Owdpdrv.exe.2cf0000.7.unpackAvira: Label: TR/Dropper.Gen

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49769 -> 192.186.237.168:587
                    Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                    Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                    Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownDNS traffic detected: queries for: discord.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934877979.00000000027C3000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.899170983.0000000005111000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934934311.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://WuQXJFerpNu.net
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://hHeaxI.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpString found in binary or memory: http://mail.suncurepelletmill.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpString found in binary or memory: http://suncurepelletmill.com
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.disc8
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discorda
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.c
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/a
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attac0
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachmen
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/77848
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7784816176054
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/77848161760549277$
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/77
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/7791933544
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/77919335445784
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/OwdH
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/Owdprrr
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7784816178
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: Yara matchFile source: Process Memory Space: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 3912, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Owdpdrv.exe PID: 6760, type: MEMORY

                    System Summary:

                    barindex
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00408C60
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040DC11
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00407C3F
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00418CCC
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00406CA0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004028B0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041A4BE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00418244
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00401650
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402F20
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004193C4
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00418788
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402F89
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402B90
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004073A0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00480040
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0048A4D8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0048CCF8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004895F8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00480D91
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00487048
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00493048
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049BC78
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049D988
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00498E00
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049F220
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00493311
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00499CE8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049AD80
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00814824
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00813028
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00818478
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00811560
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0081A8C8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00812FC8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0081DF12
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0086B278
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00408C60
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040DC11
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00407C3F
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00418CCC
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00406CA0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004028B0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041A4BE
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00418244
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00401650
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402F20
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004193C4
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00418788
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402F89
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402B90
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004073A0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_02170C56
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_02170C60
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F70040
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F7001F
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F79283
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A62FA0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A64EB0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A62388
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A626D0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: String function: 0040E1D8 appears 43 times
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: String function: 0040E1D8 appears 44 times
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic PE information: invalid certificate
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: Owdpdrv.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696671406.00000000023F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.698043220.000000007F470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.697939174.00000000046E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696682355.0000000002410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.697299189.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.927294895.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.698959513.0000000000708000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.930286972.00000000007F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938230564.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938190674.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.927026885.0000000000198000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.939208870.0000000005920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXESection loaded: mscorjit.dll
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeSection loaded: mscorjit.dll
                    Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@8/6
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCommand line argument: 08A
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEVirustotal: Detection: 26%
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEReversingLabs: Detection: 16%
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 'C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE'
                    Source: unknownProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic file information: File size 1346928 > 1048576
                    Source: Binary string: _.pdb source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.698959513.0000000000708000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeUnpacked PE file: 11.2.Owdpdrv.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeUnpacked PE file: 11.2.Owdpdrv.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C40C push cs; iretd
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00423149 push eax; ret
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C50E push cs; iretd
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004231C8 push eax; ret
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040E21D push ecx; ret
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C6BE push ebx; ret
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00485E8F push edi; retn 0000h
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C40C push cs; iretd
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00423149 push eax; ret
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C50E push cs; iretd
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004231C8 push eax; ret
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040E21D push ecx; ret
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C6BE push ebx; ret
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F765C3 push eax; ret
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OwdpJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OwdpJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWindow / User API: threadDelayed 597
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWindow / User API: threadDelayed 471
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7084Thread sleep count: 263 > 30
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7084Thread sleep count: 597 > 30
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -59406s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52094s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -38094s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -58312s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -57406s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -56312s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -55406s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -55000s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -54812s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -54094s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -53906s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -53000s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52812s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52594s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51906s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51500s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51312s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 6756Thread sleep count: 471 > 30
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -58500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -57594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -56500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -55188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -55000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -53688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -53000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -52594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -51500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -50594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -49500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -48594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -47094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -44000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -43594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -43188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -41188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -41000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -40500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -40094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -39688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -39188s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -39000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -38594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -38094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -37500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -37000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -36594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -35500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -35094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -34594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -34000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -33500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -33094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -32688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -32000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -31594s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -31094s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -30688s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -30500s >= -30000s
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXELast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeLast function: Thread delayed
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.936208812.0000000005210000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.929586896.00000000006FF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.936208812.0000000005210000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.936208812.0000000005210000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.936208812.0000000005210000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0048A4D8 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040ADB0 GetProcessHeap,HeapFree,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004123F1 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004123F1 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEMemory written: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeMemory written: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.932503045.0000000000C00000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.929332992.0000000000B40000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.932503045.0000000000C00000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.929332992.0000000000B40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.932503045.0000000000C00000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.929332992.0000000000B40000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.932503045.0000000000C00000.00000002.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.929332992.0000000000B40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: GetLocaleInfoA,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A64C94 GetUserNameW,
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.767263953.00000000004C1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.935842915.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.935435728.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933607178.0000000002400000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.934613196.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933280290.0000000002234000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.935490984.0000000004970000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.694028712.00000000006BD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.937725779.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 4460, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Owdpdrv.exe PID: 4800, type: MEMORY
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4f00000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4f00000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4970000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4970000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 4460, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Owdpdrv.exe PID: 4800, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.767263953.00000000004C1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.935842915.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.935435728.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933607178.0000000002400000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.934613196.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.933280290.0000000002234000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.935490984.0000000004970000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.694028712.00000000006BD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.937725779.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 4460, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Owdpdrv.exe PID: 4800, type: MEMORY
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4f00000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4f00000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4970000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Owdpdrv.exe.4970000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API1Registry Run Keys / Startup Folder1Process Injection112Deobfuscate/Decode Files or Information1Credentials in Registry1Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery125SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing21NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery241SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 321120 Sample: USD55,260.84_PAYMENT_ADVICE... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 2 other signatures 2->51 6 USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 1 16 2->6         started        11 Owdpdrv.exe 14 2->11         started        13 Owdpdrv.exe 14 2->13         started        process3 dnsIp4 23 cdn.discordapp.com 162.159.135.233, 443, 49734, 49747 CLOUDFLARENETUS United States 6->23 25 discord.com 162.159.138.232, 443, 49733, 49746 CLOUDFLARENETUS United States 6->25 21 C:\Users\user\AppData\Local\...\Owdpdrv.exe, PE32 6->21 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->55 57 Injects a PE file into a foreign processes 6->57 15 USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 2 6->15         started        27 192.168.2.1 unknown unknown 11->27 59 Multi AV Scanner detection for dropped file 11->59 61 Detected unpacking (changes PE section rights) 11->61 63 Detected unpacking (overwrites its own PE header) 11->63 19 Owdpdrv.exe 2 11->19         started        29 162.159.133.233, 443, 49749 CLOUDFLARENETUS United States 13->29 31 162.159.136.232, 443, 49748 CLOUDFLARENETUS United States 13->31 file5 signatures6 process7 dnsIp8 33 suncurepelletmill.com 192.186.237.168, 49769, 587 AS-26496-GO-DADDY-COM-LLCUS United States 15->33 35 mail.suncurepelletmill.com 15->35 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE26%VirustotalBrowse
                    USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE17%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe17%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.2.Owdpdrv.exe.2c50000.6.unpack100%AviraTR/Hijacker.GenDownload File
                    1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2df0000.5.unpack100%AviraTR/Hijacker.GenDownload File
                    1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2e90000.6.unpack100%AviraTR/Dropper.GenDownload File
                    5.2.Owdpdrv.exe.2cf0000.7.unpack100%AviraTR/Dropper.GenDownload File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://cdn.discordapp.c0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://suncurepelletmill.com0%Avira URL Cloudsafe
                    http://hHeaxI.com0%Avira URL Cloudsafe
                    https://discord.com/0%URL Reputationsafe
                    https://discord.com/0%URL Reputationsafe
                    https://discord.com/0%URL Reputationsafe
                    http://mail.suncurepelletmill.com0%Avira URL Cloudsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    https://cdn.discorda0%Avira URL Cloudsafe
                    http://WuQXJFerpNu.net0%Avira URL Cloudsafe
                    https://cdn.disc80%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    discord.com
                    		162.159.138.232
                    		truefalse
                      		unknown
                      cdn.discordapp.com
                      		162.159.135.233
                      		truefalse
                        		high
                        suncurepelletmill.com
                        		192.186.237.168
                        		truetrue
                          		unknown
                          mail.suncurepelletmill.com
                          		unknown
                          		unknowntrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://cdn.discordapp.cUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cdn.discordapp.com/attachments/7784816176054Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                              		high
                              http://127.0.0.1:HTTP/1.1USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://cdn.discordapp.com/attachments/778481617605492770/77Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSOwdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://cdn.discordapp.com/attachments/778481617605492770/779193Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                  		high
                                  https://cdn.discordapp.com/attachments/77848161760549277$Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                    		high
                                    https://cdn.discordapp.com/attachments/778481617605492770/77919335445784Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com/attachments/77848Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://cdn.discordapp.com/attachments/7Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                          		high
                                          https://cdn.discordapp.com/attachments/7784816178Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                            		high
                                            http://suncurepelletmill.comUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                              		high
                                              http://hHeaxI.comOwdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://discord.com/Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://mail.suncurepelletmill.comUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.discordapp.com/attachments/778481617605492770/7791933544Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                		high
                                                https://cdn.discordapp.com/attachmenOwdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://cdn.discordapp.com/aUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://api.ipify.orgGETMozilla/5.0Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cdn.discordapp.com/attac0Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/OwdHOwdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://cdn.discordaUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://WuQXJFerpNu.netUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934877979.00000000027C3000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.899170983.0000000005111000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934934311.00000000027D1000.00000004.00000001.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/OwdprrrOwdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://cdn.disc8USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            162.159.136.232
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            162.159.138.232
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            192.186.237.168
                                                            		unknownUnited States
                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                            162.159.135.233
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            162.159.133.233
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse

                                                            Private

                                                            IP
                                                            192.168.2.1

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                            Analysis ID:321120
                                                            Start date:20.11.2020
                                                            Start time:11:25:44
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 12m 23s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:17
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/5@8/6
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 8.9% (good quality ratio 8.5%)
                                                            • Quality average: 84.6%
                                                            • Quality standard deviation: 24.6%
                                                            HCA Information:
                                                            • Successful, ratio: 99%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .EXE
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 52.147.198.201, 51.104.144.132, 8.253.204.120, 8.248.117.254, 8.248.133.254, 8.248.119.254, 67.26.83.254, 52.155.217.156, 20.54.26.129, 95.101.22.134, 95.101.22.125, 51.104.139.180
                                                            • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            11:26:38API Interceptor692x Sleep call for process: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE modified
                                                            11:26:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Owdp C:\Users\user\AppData\Local\pdwO.url
                                                            11:27:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Owdp C:\Users\user\AppData\Local\pdwO.url
                                                            11:27:05API Interceptor424x Sleep call for process: Owdpdrv.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            162.159.136.232NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                              PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                  LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                    QgwtAnenic.exeGet hashmaliciousBrowse
                                                                      qclepSi8m5.exeGet hashmaliciousBrowse
                                                                        99GQMirv2r.exeGet hashmaliciousBrowse
                                                                          7w6Yl263sM.exeGet hashmaliciousBrowse
                                                                            8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                              187QadygQl.exeGet hashmaliciousBrowse
                                                                                eybgvwBamW.exeGet hashmaliciousBrowse
                                                                                  R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exeGet hashmaliciousBrowse
                                                                                    Payment of bank details,zip.exeGet hashmaliciousBrowse
                                                                                      Documentos_ordine.exeGet hashmaliciousBrowse
                                                                                        PO CBV87654468,pdf.exeGet hashmaliciousBrowse
                                                                                          Master Jurilia MV_PACIFIC_Grace TutiCorin.exeGet hashmaliciousBrowse
                                                                                            Bkrndbc_Signed_.exeGet hashmaliciousBrowse
                                                                                              PO102620.exeGet hashmaliciousBrowse
                                                                                                Ilpgivn_Signed_.exeGet hashmaliciousBrowse
                                                                                                  DHL PARCEL AWB 1222576549.exeGet hashmaliciousBrowse
                                                                                                    162.159.138.2329Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                      RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                        99GQMirv2r.exeGet hashmaliciousBrowse
                                                                                                          8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                                                            NEW PO # 20001578.exeGet hashmaliciousBrowse
                                                                                                              HSBC-0914.exeGet hashmaliciousBrowse
                                                                                                                Payment of bank details,zip.exeGet hashmaliciousBrowse
                                                                                                                  PO CBV87654468,pdf.exeGet hashmaliciousBrowse
                                                                                                                    Master Jurilia MV_PACIFIC_Grace TutiCorin.exeGet hashmaliciousBrowse
                                                                                                                      Bkrndbc_Signed_.exeGet hashmaliciousBrowse
                                                                                                                        aFYqaxx4On.exeGet hashmaliciousBrowse
                                                                                                                          s8d5H0hJyx.exeGet hashmaliciousBrowse
                                                                                                                            DHL PARCEL AWB 1222576549.exeGet hashmaliciousBrowse
                                                                                                                              BREACHOFDATA.exeGet hashmaliciousBrowse
                                                                                                                                DHL_889887.exeGet hashmaliciousBrowse
                                                                                                                                  HSBC File.exeGet hashmaliciousBrowse
                                                                                                                                    Bank Receipt 23.10.exeGet hashmaliciousBrowse
                                                                                                                                      PROFORMA Updt NR.119220_REV_3 Copies IMG_00002892.exeGet hashmaliciousBrowse
                                                                                                                                        DHL_314142.exeGet hashmaliciousBrowse
                                                                                                                                          Policja.exeGet hashmaliciousBrowse
                                                                                                                                            192.186.237.168PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                              NEW ORDER po 21000491 from Ukraine.exeGet hashmaliciousBrowse
                                                                                                                                                162.159.135.233Teklif Rusya 24 09 2020.docGet hashmaliciousBrowse
                                                                                                                                                • cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                discord.comNyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.232
                                                                                                                                                Fl0aIIH39W.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.138.232
                                                                                                                                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.232
                                                                                                                                                9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.138.232
                                                                                                                                                D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.232
                                                                                                                                                RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.138.232
                                                                                                                                                Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.128.233
                                                                                                                                                LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.137.232
                                                                                                                                                LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                QgwtAnenic.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                qclepSi8m5.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                8fJPaTfN8D.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.137.232
                                                                                                                                                LJLMG5Syza.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.137.232
                                                                                                                                                99GQMirv2r.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                7w6Yl263sM.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                oAkfKRTCvN.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.128.233
                                                                                                                                                8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                plata bancara.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.232
                                                                                                                                                187QadygQl.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                eybgvwBamW.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.136.232
                                                                                                                                                cdn.discordapp.comNyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.159.129.233
                                                                                                                                                1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.159.134.233
                                                                                                                                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                Payment copy.docGet hashmaliciousBrowse
                                                                                                                                                • 162.159.129.233
                                                                                                                                                RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                d6pj421rXA.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.130.233
                                                                                                                                                LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.134.233
                                                                                                                                                LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.134.233
                                                                                                                                                Order_Request_Retail_20-11691-AB.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 162.159.130.233
                                                                                                                                                http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7zGet hashmaliciousBrowse
                                                                                                                                                • 162.159.134.233
                                                                                                                                                89BR0suQeS.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                89BR0suQeS.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                RBBD5vivZc.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.130.233
                                                                                                                                                S01NwVhW5A.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.133.233
                                                                                                                                                qelMUH5CPF.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.134.233
                                                                                                                                                o9Fr4K1qcu.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                SecuriteInfo.com.Trojan.Siggen10.63473.17852.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.130.233

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                CLOUDFLARENETUSMV TBN.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.28.5.151
                                                                                                                                                PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                                                                                                • 172.67.22.135
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                23prRlqeGr.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.23.46
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.22.46
                                                                                                                                                iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.132.115
                                                                                                                                                Avion Quotation Request.docGet hashmaliciousBrowse
                                                                                                                                                • 104.22.54.159
                                                                                                                                                SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.131.55
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.133.115
                                                                                                                                                PO91666. pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.143.180
                                                                                                                                                BT2wDapfoI.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                ara.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                ORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.18.47.150
                                                                                                                                                araiki.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                arailk.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                                                                                                                • 104.26.4.196
                                                                                                                                                https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                                                                                                                • 104.16.18.94
                                                                                                                                                https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                                                                                                                                • 104.16.149.64
                                                                                                                                                CLOUDFLARENETUSMV TBN.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.28.5.151
                                                                                                                                                PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                                                                                                • 172.67.22.135
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                23prRlqeGr.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.23.46
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.22.46
                                                                                                                                                iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.132.115
                                                                                                                                                Avion Quotation Request.docGet hashmaliciousBrowse
                                                                                                                                                • 104.22.54.159
                                                                                                                                                SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.131.55
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.133.115
                                                                                                                                                PO91666. pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.143.180
                                                                                                                                                BT2wDapfoI.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                ara.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                ORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.18.47.150
                                                                                                                                                araiki.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                arailk.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                                                                                                                • 104.26.4.196
                                                                                                                                                https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                                                                                                                • 104.16.18.94
                                                                                                                                                https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                                                                                                                                • 104.16.149.64
                                                                                                                                                CLOUDFLARENETUSMV TBN.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.28.5.151
                                                                                                                                                PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                                                                                                • 172.67.22.135
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                23prRlqeGr.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.23.46
                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                • 104.20.22.46
                                                                                                                                                iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.132.115
                                                                                                                                                Avion Quotation Request.docGet hashmaliciousBrowse
                                                                                                                                                • 104.22.54.159
                                                                                                                                                SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.131.55
                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.27.133.115
                                                                                                                                                PO91666. pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.67.143.180
                                                                                                                                                BT2wDapfoI.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.23.98.190
                                                                                                                                                ara.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                ORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.18.47.150
                                                                                                                                                araiki.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                arailk.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.65.200.133
                                                                                                                                                https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                                                                                                                • 104.26.4.196
                                                                                                                                                https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                                                                                                                • 104.16.18.94
                                                                                                                                                https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                                                                                                                                • 104.16.149.64
                                                                                                                                                AS-26496-GO-DADDY-COM-LLCUSBANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                                                                                • 166.62.27.57
                                                                                                                                                Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                                                                                • 198.71.232.3
                                                                                                                                                Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.186.237.168
                                                                                                                                                http://homeschoolingteen.comGet hashmaliciousBrowse
                                                                                                                                                • 107.180.51.106
                                                                                                                                                http://p3nlhclust404.shr.prod.phx3.secureserver.netGet hashmaliciousBrowse
                                                                                                                                                • 72.167.191.65
                                                                                                                                                INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                                • 166.62.27.57
                                                                                                                                                moses.exeGet hashmaliciousBrowse
                                                                                                                                                • 148.66.138.196
                                                                                                                                                PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                                                                                                • 107.180.26.71
                                                                                                                                                POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                                                                                                • 198.71.233.138
                                                                                                                                                https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                                                                                                • 198.71.233.138
                                                                                                                                                anthony.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.4.22
                                                                                                                                                https://sailingfloridakeys.com/Guarantee/Get hashmaliciousBrowse
                                                                                                                                                • 104.238.92.18
                                                                                                                                                oX3qPEgl5x.exeGet hashmaliciousBrowse
                                                                                                                                                • 198.71.232.3
                                                                                                                                                https://rfpforsubmission.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                                                                                                • 148.72.93.116

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                37f463bf4616ecd445d4a1937da06e19Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3DGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://rugbysacele.ro/zz/IK/of1/nhctfwp4x278qkbusvijl6z39y5ema1o0gdr597irqhw4x0fk3uevzlaoj12bdmpsnt8g6yce40h6iv7bprsowxd3z2nmu8kal5gcj1yf9qt?data=dmluY2VudC5kdXNvcmRldEBpbWQub3Jn#aHR0cHM6Ly9ydWdieXNhY2VsZS5yby96ei9JSy9vZjEvNDUzMjY3NzY4JmVtYWlsPXZpbmNlbnQuZHVzb3JkZXRAaW1kLm9yZw==Get hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                TR-D45.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                Shipping Documents (INV,PL,BL)_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://bit.ly/2UDM1ToGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                order.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                http://45.95.168.116Get hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://prod.dfg152.ru/activate?key=23696252760045174930Get hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                BYRkah8GsZ.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233
                                                                                                                                                https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                                • 162.159.135.233
                                                                                                                                                • 162.159.133.233

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Owdprrr[1]
                                                                                                                                                Process:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1114112
                                                                                                                                                Entropy (8bit):3.9947435422074546
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:N3SiHKEEL7ayoGPMofRzwqQ9/So4H+SdmjefdN9MSyt6yp:l
                                                                                                                                                MD5:ECD8C8EDEE35CCA6CAD407E7A3E27793
                                                                                                                                                SHA1:2DD68BCEB14949C5A1C87B5EBB4FB58FA1C24FC2
                                                                                                                                                SHA-256:EB1A7529F296B0B910F24DA1A9325149C29A467DC10525C2E54A0AB0E706AA7A
                                                                                                                                                SHA-512:CA45D054C73BF017D0D308E0041ACE4FCE250CF2AA6E5CF815488CAE0B27F9BE9205FE5881990027909578373A4EA8334A2452A7A177F805736EBC1D7F9AEABD
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e17090870655a073a14602f545a775e3a38230e1d5c5f04292736041b4557122c3f0a01131e1a43627f6005106c605b75726a1c171f1f33000115051a791e20056a08631d141e3879786576021f1035710c17641d191e297c7f670c6d6e683b77116c176301705770736c0a1b1a164467726a0c176b6e5677746114131318360d0b1c021d7713220361006711131b35737162710c1212337a0413681a1c132375786002606c6e307f156010660c7a5e77746207191c1d4c637e6d091a616751707a6c1615181032010c190f177e14250d6c02611a1b1f0c302f080f1515124b6b7d6c08176168597e70641a1c17173a020d180217711c2b07640e68151c174b6663750f1a1d1c416371650710696b587f7d641514191d320e0417051f7
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Owdprrr[1]
                                                                                                                                                Process:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1114112
                                                                                                                                                Entropy (8bit):3.9947435422074546
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:N3SiHKEEL7ayoGPMofRzwqQ9/So4H+SdmjefdN9MSyt6yp:l
                                                                                                                                                MD5:ECD8C8EDEE35CCA6CAD407E7A3E27793
                                                                                                                                                SHA1:2DD68BCEB14949C5A1C87B5EBB4FB58FA1C24FC2
                                                                                                                                                SHA-256:EB1A7529F296B0B910F24DA1A9325149C29A467DC10525C2E54A0AB0E706AA7A
                                                                                                                                                SHA-512:CA45D054C73BF017D0D308E0041ACE4FCE250CF2AA6E5CF815488CAE0B27F9BE9205FE5881990027909578373A4EA8334A2452A7A177F805736EBC1D7F9AEABD
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e17090870655a073a14602f545a775e3a38230e1d5c5f04292736041b4557122c3f0a01131e1a43627f6005106c605b75726a1c171f1f33000115051a791e20056a08631d141e3879786576021f1035710c17641d191e297c7f670c6d6e683b77116c176301705770736c0a1b1a164467726a0c176b6e5677746114131318360d0b1c021d7713220361006711131b35737162710c1212337a0413681a1c132375786002606c6e307f156010660c7a5e77746207191c1d4c637e6d091a616751707a6c1615181032010c190f177e14250d6c02611a1b1f0c302f080f1515124b6b7d6c08176168597e70641a1c17173a020d180217711c2b07640e68151c174b6663750f1a1d1c416371650710696b587f7d641514191d320e0417051f7
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Owdprrr[2]
                                                                                                                                                Process:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                Category:downloaded
                                                                                                                                                Size (bytes):1114112
                                                                                                                                                Entropy (8bit):3.9947435422074546
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:N3SiHKEEL7ayoGPMofRzwqQ9/So4H+SdmjefdN9MSyt6yp:l
                                                                                                                                                MD5:ECD8C8EDEE35CCA6CAD407E7A3E27793
                                                                                                                                                SHA1:2DD68BCEB14949C5A1C87B5EBB4FB58FA1C24FC2
                                                                                                                                                SHA-256:EB1A7529F296B0B910F24DA1A9325149C29A467DC10525C2E54A0AB0E706AA7A
                                                                                                                                                SHA-512:CA45D054C73BF017D0D308E0041ACE4FCE250CF2AA6E5CF815488CAE0B27F9BE9205FE5881990027909578373A4EA8334A2452A7A177F805736EBC1D7F9AEABD
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                IE Cache URL:https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/Owdprrr
                                                                                                                                                Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e17090870655a073a14602f545a775e3a38230e1d5c5f04292736041b4557122c3f0a01131e1a43627f6005106c605b75726a1c171f1f33000115051a791e20056a08631d141e3879786576021f1035710c17641d191e297c7f670c6d6e683b77116c176301705770736c0a1b1a164467726a0c176b6e5677746114131318360d0b1c021d7713220361006711131b35737162710c1212337a0413681a1c132375786002606c6e307f156010660c7a5e77746207191c1d4c637e6d091a616751707a6c1615181032010c190f177e14250d6c02611a1b1f0c302f080f1515124b6b7d6c08176168597e70641a1c17173a020d180217711c2b07640e68151c174b6663750f1a1d1c416371650710696b587f7d641514191d320e0417051f7
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                Process:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1346928
                                                                                                                                                Entropy (8bit):7.062405677677901
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:aVggyMBuni3KmeVXHY7hiBrGNLYragKkTZxUScffBxsqPerMmzZC3N4Sr5RPEwdO:a5uWVLYLnURxsqPerMmzZC3N4Sr5RPEO
                                                                                                                                                MD5:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                SHA1:4E72608C340C7B18F4FF359552DA57C9DEE29E99
                                                                                                                                                SHA-256:21B054A3B319B950887EFF329EBB237A5D442E6742E94D66D2FF17CD85F8D930
                                                                                                                                                SHA-512:0D62A76EBD28FF69C4D9201F01E39E1B1737E521635AFC37FD10EB04007F9538B7E8C2CD5A8A5697FAB2E2768BD22062DFA0002EA4FCEB4AEBEC7B4EBA76BA2A
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................R... .......j.......p....@..............................................@..............................F-...................v..p....@...............................0.......................................................text...PD.......F.................. ..`.itext.......`.......J.............. ..`.data....7...p...8...V..............@....bss....8;...............................idata..F-..........................@....tls....@.... ...........................rdata.......0......................@..@.reloc.......@......................@..B.rsrc................f..............@..@.....................v..............@..@................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\pdwO.url
                                                                                                                                                Process:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Owdpdrv.exe>), ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):169
                                                                                                                                                Entropy (8bit):5.146619155679392
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:HRAbABGQYmHmEX+Ro6p4EkD5oef5yaKhPL6vQJ5ontCBuXV9k/qIH19Yxv:HRYFVmcKaJkDlR9umvQJ5OtZF9k/qI7I
                                                                                                                                                MD5:45AE9651732EF16084522D728371E38F
                                                                                                                                                SHA1:77E3DCF754603F85091F3979123E796C65D26277
                                                                                                                                                SHA-256:DFCC0B2C174970668F72ABEF671EF6211D15DA669B7D40F488B0097F4FC69E55
                                                                                                                                                SHA-512:4BD6911AF65F0B143026446F176036C7FFE02F965A4FB42CE3A92CC669EC61DDDCCC95C7B9DD32AD32BC6801DF99205905E1A2ADC5C17468B6570FC927DC32D0
                                                                                                                                                Malicious:false
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\pdwO.url, Author: @itsreallynick (Nick Carr)
                                                                                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\pdwO.url, Author: @itsreallynick (Nick Carr)
                                                                                                                                                • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\pdwO.url, Author: @itsreallynick (Nick Carr)
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: [InternetShortcut]..URL=file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Owdpdrv.exe..IconIndex=1..IconFile=.url..Modified=20F06BA06D07BD014D..HotKey=1601..

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):7.062405677677901
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                File name:USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                File size:1346928
                                                                                                                                                MD5:5d3d23738b2b4bb1f7fe3371ea7ecc76
                                                                                                                                                SHA1:4e72608c340c7b18f4ff359552da57c9dee29e99
                                                                                                                                                SHA256:21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
                                                                                                                                                SHA512:0d62a76ebd28ff69c4d9201f01e39e1b1737e521635afc37fd10eb04007f9538b7e8c2cd5a8a5697fab2e2768bd22062dfa0002ea4fceb4aebec7b4eba76ba2a
                                                                                                                                                SSDEEP:24576:aVggyMBuni3KmeVXHY7hiBrGNLYragKkTZxUScffBxsqPerMmzZC3N4Sr5RPEwdO:a5uWVLYLnURxsqPerMmzZC3N4Sr5RPEO
                                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:64ccd4f0f0f0f8d4

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4a6a0c
                                                                                                                                                Entrypoint Section:.itext
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                                                                                                DLL Characteristics:
                                                                                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:9f8c170f32c73b28f480a91184443651

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                Error Number:-2146869232
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 12/7/2009 11:40:29 PM 3/7/2011 11:40:29 PM
                                                                                                                                                Subject Chain
                                                                                                                                                • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:E3FEDB37F4874E84CDB82A789FFDCD67
                                                                                                                                                Thumbprint SHA-1:9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
                                                                                                                                                Thumbprint SHA-256:277D42066A68326BA10B1874D393327404287C14A9C9DB1C09D50698952A17DD
                                                                                                                                                Serial:6101CF3E00000000000F

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                add esp, FFFFFFF0h
                                                                                                                                                push ebx
                                                                                                                                                mov eax, 004A5140h
                                                                                                                                                call 00007F05244B64C8h
                                                                                                                                                mov ebx, dword ptr [004AA5D0h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                call 00007F052451A31Bh
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, 004A6A88h
                                                                                                                                                call 00007F0524519D8Fh
                                                                                                                                                mov ecx, dword ptr [004AA458h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [004A42C8h]
                                                                                                                                                call 00007F052451A314h
                                                                                                                                                mov ecx, dword ptr [004AA2D8h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [004A2E90h]
                                                                                                                                                call 00007F052451A301h
                                                                                                                                                mov eax, dword ptr [004AA458h]
                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                xor edx, edx
                                                                                                                                                call 00007F05245124EBh
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov byte ptr [eax+5Bh], 00000000h
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                call 00007F052451A366h
                                                                                                                                                pop ebx
                                                                                                                                                call 00007F05244B400Ch
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add bh, bh

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xaf0000x2d46.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x91000.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1476000x1770.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xa714.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xb30000x18.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xaf8800x704.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000xa44500xa4600False0.520161002852data6.55423520994IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .itext0xa60000xa940xc00False0.5556640625data5.87975501075IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0xa70000x37b00x3800False0.3994140625data4.61945402788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .bss0xab0000x3b380x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .idata0xaf0000x2d460x2e00False0.316576086957data5.15484719413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .tls0xb20000x400x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rdata0xb30000x180x200False0.05078125data0.210826267787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xb40000xa7140xa800False0.548107328869data6.63320143782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0xbf0000x910000x91000False0.531827518858data7.0918777236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                RT_CURSOR0xbfcb80x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xbfdec0x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xbff200x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xc00540x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xc01880x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xc02bc0x134dataEnglishUnited States
                                                                                                                                                RT_CURSOR0xc03f00x134dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc05240x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc06f40x1e4dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc08d80x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc0aa80x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc0c780x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc0e480x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc10180x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc11e80x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc13b80x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc15880x1d0dataEnglishUnited States
                                                                                                                                                RT_BITMAP0xc17580xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                RT_ICON0xc18400x10a8dataEnglishUnited States
                                                                                                                                                RT_ICON0xc28e80x25a8dataEnglishUnited States
                                                                                                                                                RT_ICON0xc4e900x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                                                                RT_ICON0xc90b80x5488dataEnglishUnited States
                                                                                                                                                RT_ICON0xce5400xa2a8dataEnglishUnited States
                                                                                                                                                RT_DIALOG0xd87e80x52data
                                                                                                                                                RT_DIALOG0xd883c0x52data
                                                                                                                                                RT_STRING0xd88900x174data
                                                                                                                                                RT_STRING0xd8a040x3ecdata
                                                                                                                                                RT_STRING0xd8df00x520data
                                                                                                                                                RT_STRING0xd93100x224data
                                                                                                                                                RT_STRING0xd95340xc8data
                                                                                                                                                RT_STRING0xd95fc0x10cdata
                                                                                                                                                RT_STRING0xd97080x2ccdata
                                                                                                                                                RT_STRING0xd99d40x3f0data
                                                                                                                                                RT_STRING0xd9dc40x390data
                                                                                                                                                RT_STRING0xda1540x370data
                                                                                                                                                RT_STRING0xda4c40x390data
                                                                                                                                                RT_STRING0xda8540xd0data
                                                                                                                                                RT_STRING0xda9240xa0data
                                                                                                                                                RT_STRING0xda9c40x2b8data
                                                                                                                                                RT_STRING0xdac7c0x474data
                                                                                                                                                RT_STRING0xdb0f00x38cdata
                                                                                                                                                RT_STRING0xdb47c0x2b4data
                                                                                                                                                RT_RCDATA0xdb7300x10data
                                                                                                                                                RT_RCDATA0xdb7400x434data
                                                                                                                                                RT_RCDATA0xdbb740x6b9Delphi compiled form 'T__2325477761'
                                                                                                                                                RT_RCDATA0xdc2300x861Delphi compiled form 'T__2325686981'
                                                                                                                                                RT_RCDATA0xdca940x72fceGIF image data, version 89a, 808 x 236EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fa640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fa780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fa8c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14faa00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fab40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fac80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_CURSOR0x14fadc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                RT_GROUP_ICON0x14faf00x4cdataEnglishUnited States
                                                                                                                                                RT_MANIFEST0x14fb3c0x336XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, NotifyWinEvent, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharNextW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetROP2, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                                                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                                oleaut32.dllGetErrorInfo, GetActiveObject, VariantInit, SysFreeString
                                                                                                                                                ole32.dllCoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                                                                kernel32.dllSleep
                                                                                                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                                                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                wininet.dllInternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
                                                                                                                                                oleacc.dllLresultFromObject
                                                                                                                                                winmm.dllsndPlaySoundA

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                11/20/20-11:28:40.241774TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49769587192.168.2.4192.186.237.168

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 20, 2020 11:26:39.232889891 CET49733443192.168.2.4162.159.138.232
                                                                                                                                                Nov 20, 2020 11:26:39.249454975 CET44349733162.159.138.232192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.249602079 CET49733443192.168.2.4162.159.138.232
                                                                                                                                                Nov 20, 2020 11:26:39.250047922 CET49733443192.168.2.4162.159.138.232
                                                                                                                                                Nov 20, 2020 11:26:39.266573906 CET44349733162.159.138.232192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.266729116 CET49733443192.168.2.4162.159.138.232
                                                                                                                                                Nov 20, 2020 11:26:39.351433039 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.367850065 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.367970943 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.384814024 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.401174068 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.402167082 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.402210951 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.402235985 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.402282953 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.402342081 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.554016113 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.570513010 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.570945024 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.571019888 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.587100029 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.603673935 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628701925 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628735065 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628773928 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628796101 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628830910 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628860950 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628901005 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628911972 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.628928900 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628963947 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.628979921 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.628999949 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629026890 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629060030 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629095078 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629097939 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629112959 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629143000 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629170895 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629193068 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629208088 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629239082 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629260063 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629277945 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629313946 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629333019 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629349947 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629386902 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629407883 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629457951 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629462957 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629494905 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629520893 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629538059 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629580021 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629592896 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629623890 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629657984 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629669905 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629699945 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629740000 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629741907 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629784107 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629795074 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629827023 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629863024 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629868031 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629909992 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629940987 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629952908 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.629992962 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.629995108 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630037069 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630078077 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630079985 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630120993 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630161047 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630162001 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630198956 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630239010 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630239964 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630283117 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630290985 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630325079 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630350113 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630367994 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630403042 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630434990 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630445957 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630486965 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630498886 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630528927 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630569935 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630573034 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630605936 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630616903 CET49734443192.168.2.4162.159.135.233
                                                                                                                                                Nov 20, 2020 11:26:39.630647898 CET44349734162.159.135.233192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.630690098 CET44349734162.159.135.233192.168.2.4

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 20, 2020 11:26:32.792489052 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:32.819657087 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:35.601994991 CET4991053192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:35.629121065 CET53499108.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:36.283905029 CET5585453192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:36.311135054 CET53558548.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:37.126955032 CET6454953192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:37.154706955 CET53645498.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:37.792318106 CET6315353192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:37.819264889 CET53631538.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:38.827524900 CET5299153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:38.854659081 CET53529918.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.186790943 CET5370053192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET53537008.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.320950985 CET5172653192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET53517268.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:39.776696920 CET5679453192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:39.803807020 CET53567948.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:40.474920988 CET5653453192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:40.502110004 CET53565348.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:43.134888887 CET5662753192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:43.170541048 CET53566278.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:43.941832066 CET5662153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:43.968853951 CET53566218.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:45.275043964 CET6311653192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:45.302392960 CET53631168.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:45.946240902 CET6407853192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:45.973328114 CET53640788.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:46.632827997 CET6480153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:46.659902096 CET53648018.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:48.414572954 CET6172153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:48.441579103 CET53617218.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:26:49.274547100 CET5125553192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:26:49.301678896 CET53512558.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:00.108504057 CET6152253192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:00.135812044 CET53615228.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:06.561269999 CET5233753192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET53523378.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:06.743603945 CET5504653192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET53550468.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:17.017287970 CET4961253192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET53496128.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:17.254802942 CET4928553192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET53492858.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:19.579334974 CET5060153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:19.606564999 CET53506018.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:27.568802118 CET6087553192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:27.604479074 CET53608758.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:29.021965027 CET5644853192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:29.057634115 CET53564488.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:30.008707047 CET5917253192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:30.046601057 CET53591728.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:30.880028963 CET6242053192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:30.915757895 CET53624208.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:32.223314047 CET6057953192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:32.259016037 CET53605798.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:34.161514997 CET5018353192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:34.197279930 CET53501838.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:34.857017994 CET6153153192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:34.892985106 CET53615318.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:35.454413891 CET4922853192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:35.481477022 CET53492288.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:35.776987076 CET5979453192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:35.812496901 CET53597948.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:37.052122116 CET5591653192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:37.087802887 CET53559168.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:37.744098902 CET5275253192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:37.781842947 CET53527528.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:27:43.113318920 CET6054253192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:27:43.154879093 CET53605428.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:28:10.708352089 CET6068953192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:28:10.735510111 CET53606898.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:28:12.690224886 CET6420653192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:28:12.717282057 CET53642068.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:28:38.509129047 CET5090453192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:28:38.551346064 CET53509048.8.8.8192.168.2.4
                                                                                                                                                Nov 20, 2020 11:28:38.563013077 CET5752553192.168.2.48.8.8.8
                                                                                                                                                Nov 20, 2020 11:28:38.605150938 CET53575258.8.8.8192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                Nov 20, 2020 11:26:39.186790943 CET192.168.2.48.8.8.80xf2f2Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.320950985 CET192.168.2.48.8.8.80xeb99Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.561269999 CET192.168.2.48.8.8.80x8397Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.743603945 CET192.168.2.48.8.8.80x49bfStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.017287970 CET192.168.2.48.8.8.80x10dcStandard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.254802942 CET192.168.2.48.8.8.80xe9b5Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.509129047 CET192.168.2.48.8.8.80x25c6Standard query (0)mail.suncurepelletmill.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.563013077 CET192.168.2.48.8.8.80x717dStandard query (0)mail.suncurepelletmill.comA (IP address)IN (0x0001)

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET8.8.8.8192.168.2.40xf2f2No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET8.8.8.8192.168.2.40xf2f2No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET8.8.8.8192.168.2.40xf2f2No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET8.8.8.8192.168.2.40xf2f2No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.213973999 CET8.8.8.8192.168.2.40xf2f2No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET8.8.8.8192.168.2.40xeb99No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET8.8.8.8192.168.2.40xeb99No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET8.8.8.8192.168.2.40xeb99No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET8.8.8.8192.168.2.40xeb99No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:26:39.348053932 CET8.8.8.8192.168.2.40xeb99No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET8.8.8.8192.168.2.40x8397No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET8.8.8.8192.168.2.40x8397No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET8.8.8.8192.168.2.40x8397No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET8.8.8.8192.168.2.40x8397No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.588347912 CET8.8.8.8192.168.2.40x8397No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET8.8.8.8192.168.2.40x49bfNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET8.8.8.8192.168.2.40x49bfNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET8.8.8.8192.168.2.40x49bfNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET8.8.8.8192.168.2.40x49bfNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:06.770800114 CET8.8.8.8192.168.2.40x49bfNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET8.8.8.8192.168.2.40x10dcNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET8.8.8.8192.168.2.40x10dcNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET8.8.8.8192.168.2.40x10dcNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET8.8.8.8192.168.2.40x10dcNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.044492960 CET8.8.8.8192.168.2.40x10dcNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET8.8.8.8192.168.2.40xe9b5No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET8.8.8.8192.168.2.40xe9b5No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET8.8.8.8192.168.2.40xe9b5No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET8.8.8.8192.168.2.40xe9b5No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:27:17.281923056 CET8.8.8.8192.168.2.40xe9b5No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.551346064 CET8.8.8.8192.168.2.40x25c6No error (0)mail.suncurepelletmill.comsuncurepelletmill.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.551346064 CET8.8.8.8192.168.2.40x25c6No error (0)suncurepelletmill.com192.186.237.168A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.605150938 CET8.8.8.8192.168.2.40x717dNo error (0)mail.suncurepelletmill.comsuncurepelletmill.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:28:38.605150938 CET8.8.8.8192.168.2.40x717dNo error (0)suncurepelletmill.com192.186.237.168A (IP address)IN (0x0001)

                                                                                                                                                HTTPS Packets

                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                Nov 20, 2020 11:26:39.402235985 CET162.159.135.233443192.168.2.449734CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                                                                CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                Nov 20, 2020 11:27:06.835222006 CET162.159.135.233443192.168.2.449747CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                                                                CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                Nov 20, 2020 11:27:17.350728035 CET162.159.133.233443192.168.2.449749CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Sep 25 02:00:00 CEST 2014Tue Sep 25 01:59:59 CEST 2029
                                                                                                                                                CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                                                                                                SMTP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                Nov 20, 2020 11:28:39.253923893 CET58749769192.186.237.168192.168.2.4220-p3plcpnl0152.prod.phx3.secureserver.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 03:28:39 -0700
                                                                                                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                220 and/or bulk e-mail.
                                                                                                                                                Nov 20, 2020 11:28:39.254440069 CET49769587192.168.2.4192.186.237.168EHLO 367706
                                                                                                                                                Nov 20, 2020 11:28:39.416418076 CET58749769192.186.237.168192.168.2.4250-p3plcpnl0152.prod.phx3.secureserver.net Hello 367706 [84.17.52.25]
                                                                                                                                                250-SIZE 52428800
                                                                                                                                                250-8BITMIME
                                                                                                                                                250-PIPELINING
                                                                                                                                                250-AUTH PLAIN LOGIN
                                                                                                                                                250-CHUNKING
                                                                                                                                                250-STARTTLS
                                                                                                                                                250-SMTPUTF8
                                                                                                                                                250 HELP
                                                                                                                                                Nov 20, 2020 11:28:39.418677092 CET49769587192.168.2.4192.186.237.168AUTH login Q3J5c3RhbEBzdW5jdXJlcGVsbGV0bWlsbC5jb20=
                                                                                                                                                Nov 20, 2020 11:28:39.580845118 CET58749769192.186.237.168192.168.2.4334 UGFzc3dvcmQ6
                                                                                                                                                Nov 20, 2020 11:28:39.751188040 CET58749769192.186.237.168192.168.2.4235 Authentication succeeded
                                                                                                                                                Nov 20, 2020 11:28:39.752032995 CET49769587192.168.2.4192.186.237.168MAIL FROM:<Crystal@suncurepelletmill.com>
                                                                                                                                                Nov 20, 2020 11:28:39.913867950 CET58749769192.186.237.168192.168.2.4250 OK
                                                                                                                                                Nov 20, 2020 11:28:39.914614916 CET49769587192.168.2.4192.186.237.168RCPT TO:<Crystal@suncurepelletmill.com>
                                                                                                                                                Nov 20, 2020 11:28:40.077241898 CET58749769192.186.237.168192.168.2.4250 Accepted
                                                                                                                                                Nov 20, 2020 11:28:40.077750921 CET49769587192.168.2.4192.186.237.168DATA
                                                                                                                                                Nov 20, 2020 11:28:40.239437103 CET58749769192.186.237.168192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                                                                                Nov 20, 2020 11:28:40.243258953 CET49769587192.168.2.4192.186.237.168.
                                                                                                                                                Nov 20, 2020 11:28:40.414588928 CET58749769192.186.237.168192.168.2.4250 OK id=1kg3ei-00An1k-5o

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 3912 Parent PID: 6024

                                                                                                                                                General

                                                                                                                                                Start time:11:26:37
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE'
                                                                                                                                                Imagebase:0x7ffabd480000
                                                                                                                                                File size:1346928 bytes
                                                                                                                                                MD5 hash:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                                                                • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 4460 Parent PID: 3912

                                                                                                                                                General

                                                                                                                                                Start time:11:26:53
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                                                                                                                                                Imagebase:0x7ffabd480000
                                                                                                                                                File size:1346928 bytes
                                                                                                                                                MD5 hash:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.935435728.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.933607178.0000000002400000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.933280290.0000000002234000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.694028712.00000000006BD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.937725779.0000000004EC0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: Owdpdrv.exe PID: 6760 Parent PID: 3424

                                                                                                                                                General

                                                                                                                                                Start time:11:27:05
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1346928 bytes
                                                                                                                                                MD5 hash:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                                                                • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 17%, ReversingLabs
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: Owdpdrv.exe PID: 6872 Parent PID: 3424

                                                                                                                                                General

                                                                                                                                                Start time:11:27:14
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1346928 bytes
                                                                                                                                                MD5 hash:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: Owdpdrv.exe PID: 4800 Parent PID: 6760

                                                                                                                                                General

                                                                                                                                                Start time:11:27:27
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1346928 bytes
                                                                                                                                                MD5 hash:5D3D23738B2B4BB1F7FE3371EA7ECC76
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.767263953.00000000004C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.935842915.0000000004F00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.934613196.0000000003531000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.935490984.0000000004970000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >