Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO-75013.scr

Overview

General Information

Sample Name:PO-75013.scr (renamed file extension from scr to exe)
Analysis ID:338942
MD5:e7e6ee6ef97ff797562c91e0ff401ac4
SHA1:d1ec737c87a9c0a91456f1019106b77ee2e03980
SHA256:7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9
Tags:scr

Most interesting Screenshot:

Detection

Snake Keylogger
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MultiObfuscated
Yara detected Snake Keylogger
Allocates memory in foreign processes
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • PO-75013.exe (PID: 6904 cmdline: 'C:\Users\user\Desktop\PO-75013.exe' MD5: E7E6EE6EF97FF797562C91E0FF401AC4)
    • cmd.exe (PID: 6992 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 7048 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • MpCmdRun.exe (PID: 7104 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
          • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • explore.exe (PID: 6200 cmdline: 'C:\Users\user\explore.exe' MD5: E7E6EE6EF97FF797562C91E0FF401AC4)
  • explore.exe (PID: 2152 cmdline: 'C:\Users\user\explore.exe' MD5: E7E6EE6EF97FF797562C91E0FF401AC4)
  • explore.exe (PID: 6968 cmdline: 'C:\Users\user\explore.exe' MD5: E7E6EE6EF97FF797562C91E0FF401AC4)
    • InstallUtil.exe (PID: 6316 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.277366713.0000000003C9C000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.276366606.0000000003AB1000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      Process Memory Space: PO-75013.exe PID: 6904JoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Process Memory Space: PO-75013.exe PID: 6904JoeSecurity_MultiObfuscatedYara detected MultiObfuscatedJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results
          Source: PO-75013.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownHTTPS traffic detected: 104.28.4.151:443 -> 192.168.2.7:49744 version: TLS 1.0
          Source: PO-75013.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000011.00000000.318356080.00000000003E2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000011.00000000.318356080.00000000003E2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then jmp 00C2F626h0_2_00C2EE1A
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then jmp 00C2F626h0_2_00C2EE50
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov esp, ebp0_2_04EAC6A0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_04EADAA9
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_04EA46AB
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04EA46AB
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_04EA46B0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04EA46B0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04EA41D7
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04EA5C68
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04EA3C14
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04EAAF50
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then xor edx, edx0_2_04EA48FD
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_04EA49C4
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04EA49C4
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_04EA49D0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04EA49D0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 4x nop then xor edx, edx0_2_04EA4908

          Networking:

          barindex
          May check the online IP address of the machineShow sources
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
          Source: Joe Sandbox ViewIP Address: 104.28.4.151 104.28.4.151
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: unknownHTTPS traffic detected: 104.28.4.151:443 -> 192.168.2.7:49744 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
          Source: PO-75013.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
          Source: PO-75013.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: PO-75013.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
          Source: PO-75013.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
          Source: PO-75013.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: PO-75013.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
          Source: PO-75013.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
          Source: PO-75013.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: PO-75013.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
          Source: PO-75013.exe, 00000000.00000003.272434959.0000000000FC9000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/mpCore
          Source: PO-75013.exe, 00000000.00000003.272434959.0000000000FC9000.00000004.00000001.sdmpString found in binary or memory: http://n._
          Source: PO-75013.exe, 00000000.00000003.272434959.0000000000FC9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adp/1.0/
          Source: PO-75013.exe, 00000000.00000003.272434959.0000000000FC9000.00000004.00000001.sdmpString found in binary or memory: http://ns.ao
          Source: PO-75013.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: PO-75013.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: PO-75013.exeString found in binary or memory: http://ocsp.digicert.com0H
          Source: PO-75013.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: PO-75013.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: explore.exe, 00000005.00000002.277648767.0000000000B69000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C299F80_2_00C299F8
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2A4F00_2_00C2A4F0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2BC200_2_00C2BC20
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2D6E00_2_00C2D6E0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C276F00_2_00C276F0
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2F6500_2_00C2F650
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2EE1A0_2_00C2EE1A
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C23FD80_2_00C23FD8
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2F64F0_2_00C2F64F
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C2EE500_2_00C2EE50
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EAB5F10_2_04EAB5F1
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EAB6000_2_04EAB600
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA572A0_2_04EA572A
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA57380_2_04EA5738
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA01880_2_04EA0188
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA51880_2_04EA5188
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA51780_2_04EA5178
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EA517F0_2_04EA517F
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_04EAC1100_2_04EAC110
          Source: C:\Users\user\explore.exeCode function: 5_2_00EE9A085_2_00EE9A08
          Source: C:\Users\user\explore.exeCode function: 5_2_00EEBC305_2_00EEBC30
          Source: C:\Users\user\explore.exeCode function: 5_2_00EEA5005_2_00EEA500
          Source: C:\Users\user\explore.exeCode function: 5_2_00EED6F05_2_00EED6F0
          Source: C:\Users\user\explore.exeCode function: 5_2_00EE3FD85_2_00EE3FD8
          Source: C:\Users\user\explore.exeCode function: 5_2_00EE99F85_2_00EE99F8
          Source: C:\Users\user\explore.exeCode function: 5_2_00EEA4F05_2_00EEA4F0
          Source: C:\Users\user\explore.exeCode function: 5_2_00EEBC205_2_00EEBC20
          Source: C:\Users\user\explore.exeCode function: 5_2_00EED6E05_2_00EED6E0
          Source: C:\Users\user\explore.exeCode function: 6_2_012A9A086_2_012A9A08
          Source: C:\Users\user\explore.exeCode function: 6_2_012AA5006_2_012AA500
          Source: C:\Users\user\explore.exeCode function: 6_2_012ABC306_2_012ABC30
          Source: C:\Users\user\explore.exeCode function: 6_2_012A3FD86_2_012A3FD8
          Source: C:\Users\user\explore.exeCode function: 6_2_012A76F06_2_012A76F0
          Source: C:\Users\user\explore.exeCode function: 6_2_012AD6F06_2_012AD6F0
          Source: C:\Users\user\explore.exeCode function: 6_2_012A99F86_2_012A99F8
          Source: C:\Users\user\explore.exeCode function: 6_2_012ABC206_2_012ABC20
          Source: C:\Users\user\explore.exeCode function: 6_2_012AA4F06_2_012AA4F0
          Source: C:\Users\user\explore.exeCode function: 6_2_012AD6E06_2_012AD6E0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
          Source: PO-75013.exeStatic PE information: invalid certificate
          Source: PO-75013.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: explore.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PO-75013.exe, 00000000.00000002.274910073.0000000002890000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs PO-75013.exe
          Source: PO-75013.exe, 00000000.00000002.281922390.0000000005890000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO-75013.exe
          Source: PO-75013.exe, 00000000.00000002.281922390.0000000005890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO-75013.exe
          Source: PO-75013.exe, 00000000.00000002.276366606.0000000003AB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRICSSWYL.exe4 vs PO-75013.exe
          Source: PO-75013.exe, 00000000.00000002.274615352.0000000002780000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO-75013.exe
          Source: PO-75013.exe, 00000000.00000002.281061800.0000000005700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-75013.exe
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: dwmapi.dllJump to behavior
          Source: PO-75013.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe'
          Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@14/6@3/3
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user\explore.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5948:120:WilError_01
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
          Source: PO-75013.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO-75013.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\explore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\explore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\explore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeFile read: C:\Users\user\Desktop\PO-75013.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO-75013.exe 'C:\Users\user\Desktop\PO-75013.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe'
          Source: unknownProcess created: C:\Users\user\explore.exe 'C:\Users\user\explore.exe'
          Source: unknownProcess created: C:\Users\user\explore.exe 'C:\Users\user\explore.exe'
          Source: unknownProcess created: C:\Users\user\explore.exe 'C:\Users\user\explore.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO-75013.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess created: C:\Users\user\explore.exe 'C:\Users\user\explore.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explore' /t REG_SZ /d 'C:\Users\user\explore.exe'Jump to behavior
          Source: C:\Users\user\explore.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: PO-75013.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO-75013.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: PO-75013.exeStatic file information: File size 1634760 > 1048576
          Source: PO-75013.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x162e00
          Source: PO-75013.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000011.00000000.318356080.00000000003E2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000011.00000000.318356080.00000000003E2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00348136 pushfd ; ret 0_2_0034814C
          Source: C:\Users\user\Desktop\PO-75013.exeCode function: 0_2_00C27494 pushad ; retf 0_2_00C27495
          Source: C:\Users\user\explore.exeCode function: 5_2_002D8136 pushfd ; ret 5_2_002D814C
          Source: C:\Users\user\explore.exeCode function: 5_2_00EE8980 push 84027BEDh; retf 00E7h5_2_00EE8ADD
          Source: C:\Users\user\explore.exeCode function: 6_2_00768136 pushfd ; ret 6_2_0076814C
          Source: C:\Users\user\explore.exeCode function: 6_2_012A8980 push 840509EDh; retf 00FBh6_2_012A8ADD
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user\explore.exeJump to dropped file
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user\explore.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Users\user\Desktop\PO-75013.exeFile created: C:\Users\user\explore.exeJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run exploreJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run exploreJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\PO-75013.exeFile opened: C:\Users\user\Desktop\PO-75013.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\explore.exeFile opened: C:\Users\user\explore.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\explore.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\explore.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\explore.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\explore.exeWindow / User API: threadDelayed 834Jump to behavior
          Source: C:\Users\user\explore.exeWindow / User API: threadDelayed 4100Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exe TID: 7096Thread sleep count: 69 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exe TID: 7096Thread sleep count: 102 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PO-75013.exe TID: 6924Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\explore.exe TID: 6256Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\explore.exe TID: 5996Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\explore.exe TID: 5424Thread sleep count: 195 > 30Jump to behavior
          Source: C:\Users\user\explore.exe TID: 5424Thread sleep time: -195000s >= -30000sJump to behavior
          Source: C:\Users\user\explore.exe TID: 2848Thread sleep time: -11068046444225724s >= -30000sJump to behavior
          Source: C:\Users\user\explore.exe TID: 4812Thread sleep count: 834 > 30Jump to behavior
          Source: C:\Users\user\explore.exe TID: 4812Thread sleep count: 4100 > 30Jump to behavior
          Source: C:\Users\user\explore.exe TID: 976Thread sleep count: 180 > 30Jump to behavior
          Source: C:\Users\user\explore.exe TID: 976Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explore.exe, 00000006.00000002.279631204.0000000003BB1000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explore.exe, 00000006.00000002.279631204.0000000003BB1000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: PO-75013.exe, 00000000.00000002.281061800.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.245256089.0000000002E00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explore.exe, 00000006.00000002.279631204.0000000003BB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: PO-75013.exe, 00000000.00000002.274910073.0000000002890000.00000004.00000001.sdmp, explore.exe, 00000005.00000002.278748395.00000000038E1000.00000004.00000001.sdmp, expl