Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report MPO-003234.exe

Overview

General Information

Sample Name:MPO-003234.exe
Analysis ID:356523
MD5:8bc8526fbaafbac33118ee652ac97da6
SHA1:7b23c7209b8f37bb32803971c36ab706b4a8e34d
SHA256:cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MPO-003234.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MPO-003234.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
    • cmd.exe (PID: 6720 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6764 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • badman.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
      • InstallUtil.exe (PID: 6980 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.MPO-003234.exe.4b021b8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.badman.exe.3ee08b0.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                16.2.badman.exe.3e089da.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.MPO-003234.exe.4acc202.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.MPO-003234.exe.4a602a2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeReversingLabs: Detection: 19%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MPO-003234.exeVirustotal: Detection: 24%Perma Link
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: MPO-003234.exeJoe Sandbox ML: detected
                      Source: 25.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: MPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1p
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g5~
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gp
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjp
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: MPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://wqDPxI.com
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: badman.exe, 00000010.00000002.426259290.00000000008F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: MPO-003234.exe, c3R/Xn4.csLarge array initialization: .cctor: array initializer size 10710
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E0C CreateProcessAsUserW,16_2_062C2E0C
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA366F0_2_00CA366F
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014ACD200_2_014ACD20
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014AFCE00_2_014AFCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C366F16_2_000C366F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_0088FCE016_2_0088FCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD75B016_2_05FD75B0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34F816_2_05FD34F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD547016_2_05FD5470
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDF74816_2_05FDF748
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD673016_2_05FD6730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE64816_2_05FDE648
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC61016_2_05FDC610
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CE016_2_05FD5CE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDDE6016_2_05FDDE60
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD756616_2_05FD7566
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44F016_2_05FD44F0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34E816_2_05FD34E8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44E016_2_05FD44E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84D816_2_05FD84D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD74DB16_2_05FD74DB
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84CA16_2_05FD84CA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD546116_2_05FD5461
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD973016_2_05FD9730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD672016_2_05FD6720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD972016_2_05FD9720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDD65816_2_05FDD658
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61E016_2_05FD61E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61D216_2_05FD61D2
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD909016_2_05FD9090
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD908016_2_05FD9080
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DC816_2_05FD9DC8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DB916_2_05FD9DB9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CD016_2_05FD5CD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE9F816_2_05FDE9F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD996816_2_05FD9968
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD995816_2_05FD9958
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC8C016_2_05FDC8C0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BE016_2_05FD9BE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BD016_2_05FD9BD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C221816_2_062C2218
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C726816_2_062C7268
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C337716_2_062C3377
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C6B4716_2_062C6B47
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0C7816_2_062C0C78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C508716_2_062C5087
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C90DF16_2_062C90DF
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CB97016_2_062CB970
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C3D5F16_2_062C3D5F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C221016_2_062C2210
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B6816_2_062C9B68
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0B4F16_2_062C0B4F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0BA916_2_062C0BA9
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_006E20B025_2_006E20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E446A025_2_04E446A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E445B025_2_04E445B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4D27025_2_04E4D270
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB650825_2_05DB6508
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB712025_2_05DB7120
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB90D825_2_05DB90D8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB685025_2_05DB6850
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: MPO-003234.exeBinary or memory string: OriginalFilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000000.227384578.0000000000D65000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341301388.0000000006E50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336807432.00000000050F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerqKssByvppSbVMHQvZHbRwnFF.exe4 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341162327.0000000006B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MPO-003234.exe
                      Source: MPO-003234.exeBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@0/1
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: MPO-003234.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MPO-003234.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: MPO-003234.exeVirustotal: Detection: 24%
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-24
                      Source: badman.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32[
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\MPO-003234.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MPO-003234.exe 'C:\Users\user\Desktop\MPO-003234.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: MPO-003234.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA55FE push FFFFFFD7h; ret 0_2_00CA5608
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA558A push FFFFFFD7h; ret 0_2_00CA5578
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA5560 push FFFFFFD7h; ret 0_2_00CA5578
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4112 push edx; ret 0_2_00CA4113
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4122 push esi; ret 0_2_00CA4123
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4AE9 push ebp; retf 0_2_00CA4AEA
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3294 push eax; retf 0_2_00CA3295
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3204 push cs; iretd 0_2_00CA3205
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4112 push edx; ret 16_2_000C4113
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4122 push esi; ret 16_2_000C4123
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C5560 push FFFFFFD7h; ret 16_2_000C5578
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C558A push FFFFFFD7h; ret 16_2_000C5578
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C55FE push FFFFFFD7h; ret 16_2_000C5608
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3204 push cs; iretd 16_2_000C3205
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3294 push eax; retf 16_2_000C3295
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4AE9 push ebp; retf 16_2_000C4AEA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDA0C4 push ecx; iretd 16_2_05FDA0C6
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD3E22 push ecx; ret 16_2_05FD3E26
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E58 pushfd ; retf 16_2_062C2E61
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CD2F2 push ebp; retf 16_2_062CD2FE
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2F35 push eax; retf 16_2_062C2F3A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B58 pushad ; retf 16_2_062C9B65
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4B537 push 6C00005Eh; retf 25_2_04E4B551
                      Source: MPO-003234.exe, Ed8/Hb5.csHigh entropy of concatenated method names: '.ctor', 'a3S', 'Lq4', 't3R', 'Qw5', 'k1P', 'Fb7', 'Me5', 'Tz6', 'a4K'
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to dropped file
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates multiple autostart registry keysShow sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Users\user\Desktop\MPO-003234.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 3943Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 5674Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 7599Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 2127Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 362Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9461Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 3943 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 5674 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep count: 40 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 7599 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 2127 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 362 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 9461 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware svga
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vboxservice
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware usb pointing device
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmusrvc
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware pointing device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware sata
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmsrvc
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmtools
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware virtual s scsi disk device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device
                      Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 820008Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Users\user\Desktop\MPO-003234.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB223C GetUserNameW,25_2_05DB223C
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection212Software Packing1Security Account ManagerSystem Information Discovery113SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Masquerading1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion14Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356523 Sample: MPO-003234.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 Yara detected AntiVM_3 2->41 43 2 other signatures 2->43 7 MPO-003234.exe 15 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\badman.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->29 dropped 31 C:\Users\user\...\badman.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\MPO-003234.exe.log, ASCII 7->33 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->53 11 badman.exe 14 3 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 dnsIp7 35 192.168.2.1 unknown unknown 11->35 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Writes to foreign memory regions 11->59 61 2 other signatures 11->61 17 InstallUtil.exe 2 4 11->17         started        21 reg.exe 1 1 15->21         started        23 conhost.exe 15->23         started        signatures8 process9 file10 25 C:\Users\user\AppData\Roaming\...\zUbDt.exe, PE32 17->25 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->47 49 Creates multiple autostart registry keys 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MPO-003234.exe24%VirustotalBrowse
                      MPO-003234.exe19%ReversingLabsWin32.Trojan.Wacatac
                      MPO-003234.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\badman.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\badman.exe19%ReversingLabsWin32.Trojan.Wacatac
                      C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      25.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://wqDPxI.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ns.adobe.c/gp0%Avira URL Cloudsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://ns.adb0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://ns.adobe.c/g%%0%Avira URL Cloudsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://ns.adobe.cobjp0%Avira URL Cloudsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      http://ns.adobe.c/g5~0%Avira URL Cloudsafe
                      http://ns.ado/1p0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.cobjMPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://wqDPxI.comInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.goog/gts1o1core0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/gpMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.pki.goog/GTS1O1core.crl0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adbMPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%GETMozilla/5.0InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://ns.adobe.c/g%%badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pki.goog/gsr2/GTS1O1.crt0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.cobjpMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ns.adobe.c/gMPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.pki.goog/gsr2/gsr2.crl0?MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.goog/gsr202MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://pki.goog/repository/0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/g5~badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ns.ado/1pMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipMPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schema.org/WebPageMPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmpfalse
                          		high
                          http://ns.ado/1MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:356523
                          Start date:23.02.2021
                          Start time:09:28:13
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 11m 22s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:MPO-003234.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:31
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@10/6@0/1
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 3.6% (good quality ratio 1.8%)
                          • Quality average: 24.9%
                          • Quality standard deviation: 30.8%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 50
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 51.11.168.160, 52.255.188.83, 92.122.145.220, 104.43.193.48, 168.61.161.212, 142.250.185.164, 23.210.248.85, 93.184.221.240, 51.103.5.186, 204.79.197.200, 13.107.21.200, 51.104.144.132, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:29:09API Interceptor194x Sleep call for process: MPO-003234.exe modified
                          09:29:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          09:29:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          09:29:58API Interceptor222x Sleep call for process: badman.exe modified
                          09:30:48API Interceptor135x Sleep call for process: InstallUtil.exe modified
                          09:30:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run zUbDt C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe
                          09:31:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run zUbDt C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exePayment copy.exeGet hashmaliciousBrowse
                            New Order.exeGet hashmaliciousBrowse
                              YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                  SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                      DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                        index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                          XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                            IMG_144907.exeGet hashmaliciousBrowse
                                              VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                  Sorted Properties.exeGet hashmaliciousBrowse
                                                    DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                      New Order 83329 PDF.exeGet hashmaliciousBrowse
                                                        NEW TENDER_ORDER 900930390097733000999_10_02_2021.exeGet hashmaliciousBrowse
                                                          Proforma Invoice February.exeGet hashmaliciousBrowse
                                                            jmsg.exeGet hashmaliciousBrowse
                                                              FORM DB_DHL_AWB_029920292092039993029333221 AD.exeGet hashmaliciousBrowse
                                                                Mortgage Description.exeGet hashmaliciousBrowse
                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exePayment copy.exeGet hashmaliciousBrowse
                                                                    New Order.exeGet hashmaliciousBrowse
                                                                      YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                                                        RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                                                              DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                                                                index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                                                                  XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                                                    IMG_144907.exeGet hashmaliciousBrowse
                                                                                      VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                                                        lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                                                          Sorted Properties.exeGet hashmaliciousBrowse
                                                                                            DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                                                              New Order 83329 PDF.exeGet hashmaliciousBrowse
                                                                                                NEW TENDER_ORDER 900930390097733000999_10_02_2021.exeGet hashmaliciousBrowse
                                                                                                  Proforma Invoice February.exeGet hashmaliciousBrowse
                                                                                                    jmsg.exeGet hashmaliciousBrowse
                                                                                                      FORM DB_DHL_AWB_029920292092039993029333221 AD.exeGet hashmaliciousBrowse
                                                                                                        Mortgage Description.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MPO-003234.exe.log
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):1214
                                                                                                          Entropy (8bit):5.358666369753595
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                                                          MD5:1F3BB210B09FE31192C6A822966919E9
                                                                                                          SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                                                          SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                                                          SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\badman.exe.log
                                                                                                          Process:C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1214
                                                                                                          Entropy (8bit):5.358666369753595
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                                                          MD5:1F3BB210B09FE31192C6A822966919E9
                                                                                                          SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                                                          SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                                                          SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                          C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):41064
                                                                                                          Entropy (8bit):6.164873449128079
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                          • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                          • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                          • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                          • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                          • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                          • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                          • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                          • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                          • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order 83329 PDF.exe, Detection: malicious, Browse
                                                                                                          • Filename: NEW TENDER_ORDER 900930390097733000999_10_02_2021.exe, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice February.exe, Detection: malicious, Browse
                                                                                                          • Filename: jmsg.exe, Detection: malicious, Browse
                                                                                                          • Filename: FORM DB_DHL_AWB_029920292092039993029333221 AD.exe, Detection: malicious, Browse
                                                                                                          • Filename: Mortgage Description.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                          C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):877568
                                                                                                          Entropy (8bit):6.6376111502973485
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:woUUhJQ3Krcrlhiz6021uysHmL95K0/Y7n03vSt0BgVb:wvKrcBgp2IyGuK0/Y70f7
                                                                                                          MD5:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          SHA1:7B23C7209B8F37BB32803971C36AB706B4A8E34D
                                                                                                          SHA-256:CFE1F69C2984DE3F5D476DB3CE45AA4D95A8137F0FF1BA07C1B0CECF15075C93
                                                                                                          SHA-512:439595E5CAE6B32B36223DF24D3DE1FA67BD8EE46ED84358D64633DEBA39B4A25DC38DB1BEF947B9C74E4A3226758876A673AEE353D3E94B168E32BE9BCD822C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 19%
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.3K.................X...........w... ........@.. ....................................`..................................v..S.................................................................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............b..............@..B.................v......H....... ...............................................................).F...<......*...U...u.....d...F....yg.#."..#.P...+.m..\....y......b...i.)e.W.RmV..p~.f...a.l.5..9a...E...uR....O.1...&.T......|F......e....m~.m.S ..`........ ....y."\+.A:....C.....X.1.b..X..yIg.Z.T.1..I.5Q.S....D..K......../.......1k.t.......2........bl.Q..\N...dH.E.-....c.E.3.w...W<..".`.8..H.N..x.m.`.|.y..C.5....#.._...1.).w.a..$.(.1.^.r.:...T.E....<..41......t....-;]2|.U.zn.Bcr.
                                                                                                          C:\Users\user\AppData\Roaming\badman.exe:Zone.Identifier
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                          C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):41064
                                                                                                          Entropy (8bit):6.164873449128079
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                          • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                          • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                          • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                          • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                          • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                          • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                          • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                          • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                          • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order 83329 PDF.exe, Detection: malicious, Browse
                                                                                                          • Filename: NEW TENDER_ORDER 900930390097733000999_10_02_2021.exe, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice February.exe, Detection: malicious, Browse
                                                                                                          • Filename: jmsg.exe, Detection: malicious, Browse
                                                                                                          • Filename: FORM DB_DHL_AWB_029920292092039993029333221 AD.exe, Detection: malicious, Browse
                                                                                                          • Filename: Mortgage Description.exe, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):6.6376111502973485
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:MPO-003234.exe
                                                                                                          File size:877568
                                                                                                          MD5:8bc8526fbaafbac33118ee652ac97da6
                                                                                                          SHA1:7b23c7209b8f37bb32803971c36ab706b4a8e34d
                                                                                                          SHA256:cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
                                                                                                          SHA512:439595e5cae6b32b36223df24d3de1fa67bd8ee46ed84358d64633deba39b4a25dc38db1bef947b9c74e4a3226758876a673aee353d3e94b168e32be9bcd822c
                                                                                                          SSDEEP:12288:woUUhJQ3Krcrlhiz6021uysHmL95K0/Y7n03vSt0BgVb:wvKrcBgp2IyGuK0/Y70f7
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.3K.................X...........w... ........@.. ....................................`................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4d770e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                          Time Stamp:0x4B33FC50 [Thu Dec 24 23:42:08 2009 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd76b80x53.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x616.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xd57140xd5800False0.635758196721SysEx File -6.6463233151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xd80000x6160x800False0.349609375data3.66123376299IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_VERSION0xd80a00x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                                                          RT_MANIFEST0xd842c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          Translation0x0000 0x04b0
                                                                                                          LegalCopyrightCopyright 2011 E5?5I5:6IG=BH49I2J<;6C
                                                                                                          Assembly Version1.0.0.0
                                                                                                          InternalNameRaj.exe
                                                                                                          FileVersion7.11.14.18
                                                                                                          CompanyNameE5?5I5:6IG=BH49I2J<;6C
                                                                                                          CommentsAF95E:7>3632AD@G@9
                                                                                                          ProductName5EGCD4ACFEGCGA7;?A2
                                                                                                          ProductVersion7.11.14.18
                                                                                                          FileDescription5EGCD4ACFEGCGA7;?A2
                                                                                                          OriginalFilenameRaj.exe

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 23, 2021 09:28:55.101944923 CET6124253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.126588106 CET5856253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.150718927 CET53612428.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:55.176758051 CET5659053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.178112030 CET53585628.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:55.225357056 CET53565908.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:58.107235909 CET6050153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:58.172266960 CET53605018.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:01.079483032 CET5377553192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:01.130961895 CET53537758.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:02.069763899 CET5183753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:02.118594885 CET53518378.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:03.205269098 CET5541153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:03.254051924 CET53554118.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.208017111 CET6366853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.257010937 CET53636688.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.298306942 CET5464053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.357367039 CET53546408.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.622805119 CET5873953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.671376944 CET53587398.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.687341928 CET6033853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.736023903 CET53603388.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:05.337219954 CET5871753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:05.386883020 CET53587178.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:09.311932087 CET5976253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:09.360644102 CET53597628.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:10.319719076 CET5432953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:10.368494987 CET53543298.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:11.290817022 CET5805253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:11.339703083 CET53580528.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:12.295756102 CET5400853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:12.344485044 CET53540088.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:13.266511917 CET5945153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:13.318264008 CET53594518.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:14.236737967 CET5291453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:14.285512924 CET53529148.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:15.220974922 CET6456953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:15.279983044 CET53645698.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:16.285648108 CET5281653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:16.345727921 CET53528168.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:18.440898895 CET5078153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:18.493890047 CET53507818.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:20.617420912 CET5423053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:20.668917894 CET53542308.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:21.480077982 CET5491153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:21.540224075 CET53549118.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:22.158849001 CET4995853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:22.207703114 CET53499588.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:24.030318022 CET5086053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:24.081851959 CET53508608.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:30.098707914 CET5045253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:30.158178091 CET53504528.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:31.191107988 CET5973053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:31.239974022 CET53597308.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:32.180849075 CET5931053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:32.233937025 CET53593108.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:34.110220909 CET5191953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:34.160742998 CET53519198.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:50.333293915 CET6429653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:50.382025003 CET53642968.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:51.508300066 CET5668053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:51.556991100 CET53566808.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.156857014 CET5882053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.208484888 CET53588208.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.660867929 CET6098353192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.713583946 CET53609838.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.726845980 CET4924753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.775630951 CET53492478.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:56.399905920 CET5228653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:56.448682070 CET53522868.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:04.419305086 CET5606453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:04.480340004 CET53560648.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:21.199871063 CET6374453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:21.251580954 CET53637448.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:21.903512001 CET6145753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:21.966276884 CET53614578.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:22.318589926 CET5836753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:22.378510952 CET53583678.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:22.550931931 CET6059953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:22.608385086 CET53605998.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:23.137856007 CET5957153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:23.196151018 CET53595718.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:23.692564964 CET5268953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:23.750958920 CET53526898.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:24.330089092 CET5029053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:24.390232086 CET53502908.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:25.018570900 CET6042753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:25.079519033 CET53604278.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:25.962924004 CET5620953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:26.011715889 CET53562098.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:26.881119013 CET5958253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:26.940684080 CET53595828.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:27.540143013 CET6094953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:27.600292921 CET53609498.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:55.509000063 CET5854253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:55.557792902 CET53585428.8.8.8192.168.2.7

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: MPO-003234.exe PID: 6584 Parent PID: 5632

                                                                                                          General

                                                                                                          Start time:09:29:01
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\MPO-003234.exe'
                                                                                                          Imagebase:0xca0000
                                                                                                          File size:877568 bytes
                                                                                                          MD5 hash:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: cmd.exe PID: 6720 Parent PID: 6584

                                                                                                          General

                                                                                                          Start time:09:29:07
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0x870000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 6728 Parent PID: 6720

                                                                                                          General

                                                                                                          Start time:09:29:08
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: reg.exe PID: 6764 Parent PID: 6720

                                                                                                          General

                                                                                                          Start time:09:29:08
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0x1370000
                                                                                                          File size:59392 bytes
                                                                                                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: badman.exe PID: 7052 Parent PID: 6584

                                                                                                          General

                                                                                                          Start time:09:29:49
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0xc0000
                                                                                                          File size:877568 bytes
                                                                                                          MD5 hash:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 19%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: InstallUtil.exe PID: 6980 Parent PID: 7052

                                                                                                          General

                                                                                                          Start time:09:30:28
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Imagebase:0x6e0000
                                                                                                          File size:41064 bytes
                                                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          Reputation:moderate

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: MPO-003234.exe PID: 6584 Parent PID: 5632 MPO-003234.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 014AFCE0, Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330943348.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: s@T$s@T
                                                                                                            • API String ID: 0-144321513
                                                                                                            • Opcode ID: 53de880a5c59b3e5145b484ba6111b84a74270410be6f1f433fffdb9826f6d49
                                                                                                            • Instruction ID: 0f0dc28395bf6d27d283ebc652f42830497062dde9e0f9ac3a9f311443680ced
                                                                                                            • Opcode Fuzzy Hash: 53de880a5c59b3e5145b484ba6111b84a74270410be6f1f433fffdb9826f6d49
                                                                                                            • Instruction Fuzzy Hash: 11414674E04208CFDB44CFA9D54169EBBF2AF8C211F65A02AE506B3264DB3099468F69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 014ACD20, Relevance: .3, Instructions: 340COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330943348.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1ea6ac298f09b4969abdf429c33b47ee62f3db5496fb4f29dd3041c5fc87dfdf
                                                                                                            • Instruction ID: 702afbbb5ffea824a1c7ec6254f2a39fdd15330431e74b255d3a44aea183bb14
                                                                                                            • Opcode Fuzzy Hash: 1ea6ac298f09b4969abdf429c33b47ee62f3db5496fb4f29dd3041c5fc87dfdf
                                                                                                            • Instruction Fuzzy Hash: FDC12971A082158FC754DF68C4902BFBBB6EF95320F82853BE505DB7A1DB389C428791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 014A8638, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 014A86B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330943348.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 7feffe21413fd6a652bc49cfb0fef19b8d66fb5c5c49a03d92fc57b0dd764f4e
                                                                                                            • Instruction ID: 8c247fe035c9281426a78fa4b26ef77aa1e0c0dc00a5fd7722bffd4765d9ecf4
                                                                                                            • Opcode Fuzzy Hash: 7feffe21413fd6a652bc49cfb0fef19b8d66fb5c5c49a03d92fc57b0dd764f4e
                                                                                                            • Instruction Fuzzy Hash: 8A11ACB4900349CFDF60CFAAC54839BBBF4EB48315F20842AD408A7704D739A544CFA6
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0142D4C4, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330834153.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 506533bd036daebe31c8c7f0c322fde5203d17837ccfc5563219207d624cd3ec
                                                                                                            • Instruction ID: 330b6165df7e46829969113eae967d1355e3a8e1d8e71a2d352944e089b898ec
                                                                                                            • Opcode Fuzzy Hash: 506533bd036daebe31c8c7f0c322fde5203d17837ccfc5563219207d624cd3ec
                                                                                                            • Instruction Fuzzy Hash: 782106B1904240DFDB05DF54D9C0B27BF65FB88318F64C56AE9054B216C376D8C6CAA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0142D4BF, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330834153.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction ID: 81b3859d13ae399d30d612b37192eaa75ff54e829c9b3de68898ffb836d9f81a
                                                                                                            • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction Fuzzy Hash: 8711B176804280CFDB12CF54D9C4B16BF71FB88324F24C6AAD8454B626C376D496CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0142D819, Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330834153.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d7186329ec29bae896965feae482f745f5c57aea182c5118c16e7652545f4cf5
                                                                                                            • Instruction ID: efcacc8021e0475be795b824d71db19dafcbb03a1856af34a232d74e254a8da2
                                                                                                            • Opcode Fuzzy Hash: d7186329ec29bae896965feae482f745f5c57aea182c5118c16e7652545f4cf5
                                                                                                            • Instruction Fuzzy Hash: F6012B718083949AE7144A6ACCC4763FBD8DF45278F18C46BEE1C5B296C3B898C4C6B1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0142D818, Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.330834153.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0afe60cbed3c15ddc8339104fc656f9189b8654f27d342a84206360447892ad0
                                                                                                            • Instruction ID: 54034821f4bbb61db12e33e10909a0f85c180fb595a6142658b2f05246cc2daa
                                                                                                            • Opcode Fuzzy Hash: 0afe60cbed3c15ddc8339104fc656f9189b8654f27d342a84206360447892ad0
                                                                                                            • Instruction Fuzzy Hash: 50F0C8758042849AE7118A1ACCC4B63FF98DB41774F18C05AEE184B256C3799884CAB1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 00CA366F, Relevance: .1, Instructions: 137COMMONCrypto
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 19%
                                                                                                            			E00CA366F() {
				signed char _t42;
				signed char _t44;
				signed char _t50;
				signed int _t54;
				intOrPtr* _t55;
				void* _t57;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				intOrPtr _t69;
				signed int* _t73;
				void* _t74;
				signed int _t82;
				signed char _t92;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t115;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				void* _t124;
				signed int _t128;
				void* _t145;

				_t99 = _t98 ^  *(_t98 + 0x7707db33);
				 *(_t119 + 0x34) =  *(_t119 + 0x34) ^ _t92;
				 *0x285f0de6 = _t69;
				asm("salc");
				asm("sbb dh, [ecx+ebx]");
				asm("sbb eax, 0x28630df1");
				asm("sbb byte [edx], 0x3f");
				asm("sbb [esi+0x3d303607], ecx");
				_t44 = _t42 ^ 0x5c;
				asm("sbb eax, 0x28550dfa");
				_t121 = _t119;
				_pop(_t120);
				asm("sbb ch, [edi]");
				asm("sbb [ebp+0x75307607], edx");
				asm("sbb eax, 0x287f0db4");
				asm("repne sbb bl, [esi]");
				asm("sbb [edi+eax+0x343a3052], esi");
				 *0x285b0de0 = ds;
				asm("les ebx, [edx]");
				_pop(es);
				asm("sbb eax, 0x28770db4");
				asm("out dx, eax");
				asm("sbb cl, [ecx]");
				asm("sbb [edx+0x7a302507], edi");
				asm("sbb eax, 0x285b0df9");
				asm("into");
				asm("sbb al, [ecx+ebx]");
				_pop(es);
				asm("hlt");
				asm("sbb [ds:ecx+0x74306407], edx");
				_t50 = (_t44 ^ 0x9f | 0x1a872816) ^ 0x000000b6;
				asm("sbb eax, 0x284e0ded");
				asm("rcr byte [edx], cl");
				 *_t99 = es;
				_t93 = _t92 &  *_t50;
				asm("sbb bl, [esi]");
				asm("sbb [edi-0x62faf3f9], ebp");
				asm("scasd");
				_push(ds);
				 *((intOrPtr*)(_t93 + _t93 * 8)) =  *((intOrPtr*)(_t93 + _t93 * 8)) - _t82;
				asm("das");
				asm("popad");
				_t115 =  *_t82 * 0x28b0687 -  *((intOrPtr*)(0x68302507 + _t99));
				asm("std");
				_push(ds);
				 *0xD233020D =  *0xD233020D ^ _t99;
				_t73 = (0x68302507 ^  *_t82) -  *0x601eef3b;
				_t54 = (_t50 - _t82 + 0x3b540559 ^ 0x7e2fdd2c) - 0x81;
				asm("das");
				if(_t54 != 0) {
					L4:
					_t93 = 2;
					_t122 = es;
					_t115 = _t115 -  *0x271efd3b;
					_t55 = _t54 - 0xd9;
					asm("das");
					if(_t55 <= 0) {
						L7:
						_push(es);
						_t82 = 2;
						_t74 = _t73 - 1;
						_t122 = _t122 -  *_t55;
						_t54 = _t55 + 0x7e4b5a4b;
						if(_t54 > 0) {
							L3:
							asm("cmpsd");
							_push(es);
							asm("scasd");
							_t82 = _t82 +  *((intOrPtr*)(_t74 + 0x2b));
							_t73 =  *_t115;
							asm("a16 sub al, 0xd9");
							asm("das");
							asm("outsd");
							_t73[0x19c0a641] = _t73[0x19c0a641] ^ _t54;
							asm("das");
							asm("scasd");
							goto L4;
						}
						L8:
						asm("pushfd");
						asm("pushad");
						_t57 = _t54 - 0xffffffffffffff8c;
						_t124 = _t122 - 1 -  *((intOrPtr*)(_t93 - 0x37));
						asm("popad");
						if(_t124 >= 0) {
							L21:
							asm("enter 0xcbf5, 0x7a");
							asm("aad 0xef");
						}
						_t63 = _t57 - 0x7ae226e1;
						asm("loope 0xfffffff7");
						asm("out 0x4a, al");
						asm("iretd");
						asm("fistp word [es:ebp-0x2237fd06]");
						asm("popfd");
						asm("cli");
						asm("fxch4 st3");
						_push(ss);
						asm("aad 0xae");
						asm("loop 0xffffffab");
						asm("out 0x41, al");
						asm("iretd");
						_t64 = _t63 | 0x08fa88df;
						asm("enter 0xcbf8, 0x5e");
						asm("aad 0xb6");
						asm("loop 0xffffffaa");
						asm("out 0x5c, al");
						asm("iretd");
						_t65 = _t64 | 0x03fa8edf;
						asm("enter 0xcbe9, 0x55");
						asm("aad 0xb5");
						asm("loop 0xffffff9e");
						asm("out 0x3, al");
						asm("iretd");
						asm("aaa");
						L14:
						asm("fist word [ecx-0xc37f806]");
						asm("retf");
						asm("aad 0xb1");
						asm("loop 0xffffffbb");
						asm("out 0x5b, al");
						asm("iretd");
						_t145 = _t65 - 0x26fa8adf;
						asm("enter 0xcbb1, 0x52");
						asm("aad 0xb7");
						asm("loop 0xffffffeb");
						asm("out 0x6f, al");
						asm("iretd");
						if(_t145 <= 0) {
							goto L14;
						}
						_t57 = _t124;
						_t128 = _t65;
						asm("cli");
						asm("adc cl, al");
						asm("loop 0xffffffba");
						asm("out 0x5d, al");
						asm("iretd");
						asm("popad");
						asm("fistp qword [edx+edi*8-0x340637b6]");
						_push(_t128);
						asm("aad 0xf1");
						asm("loop 0xffffff9e");
						asm("out 0x3, al");
						asm("iretd");
						asm("fistp word [ss:ebp-0xa37fc06]");
						asm("popfd");
						asm("cli");
						goto L21;
					}
					 *_t115 =  *_t115 + 0xffffff93;
					_t93 = 2 +  *((intOrPtr*)(_t82 + 0x2b));
					_pop(ds);
					asm("das");
					if(_t115 !=  *((intOrPtr*)(_t82 - 0x25d3cde2))) {
						goto L8;
					}
					asm("into");
					_push(es);
					asm("fiadd dword [edx]");
					_t120 =  *_t73 * 0x1e;
					asm("bound esi, [ecx]");
					_t115 = _t55;
					 *__edx = es;
					asm("outsd");
					asm("a16 sub al, 0xe8");
					asm("das");
					_t55 = ds;
					 *(_t99 + 0x4b02b106) =  *(_t99 + 0x4b02b106) ^ _t122;
					goto L7;
				}
				_t54 = _t121;
				_t74 = _t73 +  *((intOrPtr*)(_t93 + 0x2b));
				asm("sbb bh, [ebx]");
				asm("scasb");
				_push(ds);
				 *((intOrPtr*)(_t115 + _t82 * 8)) =  *((intOrPtr*)(_t115 + _t82 * 8)) - _t82;
				asm("das");
				goto L3;
			}



























                                                                                                            0x00ca366f
                                                                                                            0x00ca3675
                                                                                                            0x00ca3678
                                                                                                            0x00ca367e
                                                                                                            0x00ca367f
                                                                                                            0x00ca3689
                                                                                                            0x00ca368e
                                                                                                            0x00ca3691
                                                                                                            0x00ca3697
                                                                                                            0x00ca3699
                                                                                                            0x00ca369e
                                                                                                            0x00ca369e
                                                                                                            0x00ca369f
                                                                                                            0x00ca36a1
                                                                                                            0x00ca36a9
                                                                                                            0x00ca36ae
                                                                                                            0x00ca36b1
                                                                                                            0x00ca36b8
                                                                                                            0x00ca36be
                                                                                                            0x00ca36c3
                                                                                                            0x00ca36c9
                                                                                                            0x00ca36ce
                                                                                                            0x00ca36cf
                                                                                                            0x00ca36d1
                                                                                                            0x00ca36d9
                                                                                                            0x00ca36de
                                                                                                            0x00ca36df
                                                                                                            0x00ca36e3
                                                                                                            0x00ca36ea
                                                                                                            0x00ca36f0
                                                                                                            0x00ca36f7
                                                                                                            0x00ca36f9
                                                                                                            0x00ca36fe
                                                                                                            0x00ca3702
                                                                                                            0x00ca3704
                                                                                                            0x00ca370f
                                                                                                            0x00ca3711
                                                                                                            0x00ca371c
                                                                                                            0x00ca371d
                                                                                                            0x00ca371e
                                                                                                            0x00ca3721
                                                                                                            0x00ca3728
                                                                                                            0x00ca3729
                                                                                                            0x00ca372c
                                                                                                            0x00ca372d
                                                                                                            0x00ca3733
                                                                                                            0x00ca3739
                                                                                                            0x00ca373f
                                                                                                            0x00ca3741
                                                                                                            0x00ca3742
                                                                                                            0x00ca3775
                                                                                                            0x00ca3776
                                                                                                            0x00ca3778
                                                                                                            0x00ca3779
                                                                                                            0x00ca377f
                                                                                                            0x00ca3781
                                                                                                            0x00ca3782
                                                                                                            0x00ca37b5
                                                                                                            0x00ca37b5
                                                                                                            0x00ca37b6
                                                                                                            0x00ca37b8
                                                                                                            0x00ca37b9
                                                                                                            0x00ca37be
                                                                                                            0x00ca37c3
                                                                                                            0x00ca3754
                                                                                                            0x00ca3754
                                                                                                            0x00ca3755
                                                                                                            0x00ca3756
                                                                                                            0x00ca3757
                                                                                                            0x00ca375c
                                                                                                            0x00ca375e
                                                                                                            0x00ca3761
                                                                                                            0x00ca3762
                                                                                                            0x00ca3763
                                                                                                            0x00ca3771
                                                                                                            0x00ca3774
                                                                                                            0x00000000
                                                                                                            0x00ca3774
                                                                                                            0x00ca37c5
                                                                                                            0x00ca37c6
                                                                                                            0x00ca37c8
                                                                                                            0x00ca37c9
                                                                                                            0x00ca37ce
                                                                                                            0x00ca37d1
                                                                                                            0x00ca37d2
                                                                                                            0x00ca3853
                                                                                                            0x00ca3853
                                                                                                            0x00ca3857
                                                                                                            0x00ca3857
                                                                                                            0x00ca37d4
                                                                                                            0x00ca37d9
                                                                                                            0x00ca37db
                                                                                                            0x00ca37dd
                                                                                                            0x00ca37de
                                                                                                            0x00ca37e0
                                                                                                            0x00ca37e1
                                                                                                            0x00ca37e4
                                                                                                            0x00ca37e6
                                                                                                            0x00ca37e7
                                                                                                            0x00ca37e9
                                                                                                            0x00ca37eb
                                                                                                            0x00ca37ed
                                                                                                            0x00ca37ee
                                                                                                            0x00ca37f3
                                                                                                            0x00ca37f7
                                                                                                            0x00ca37f9
                                                                                                            0x00ca37fb
                                                                                                            0x00ca37fd
                                                                                                            0x00ca37fe
                                                                                                            0x00ca3803
                                                                                                            0x00ca3807
                                                                                                            0x00ca3809
                                                                                                            0x00ca380b
                                                                                                            0x00ca380d
                                                                                                            0x00ca380e
                                                                                                            0x00ca380f
                                                                                                            0x00ca380f
                                                                                                            0x00ca3815
                                                                                                            0x00ca3816
                                                                                                            0x00ca3819
                                                                                                            0x00ca381b
                                                                                                            0x00ca381d
                                                                                                            0x00ca381e
                                                                                                            0x00ca3823
                                                                                                            0x00ca3827
                                                                                                            0x00ca3829
                                                                                                            0x00ca382b
                                                                                                            0x00ca382d
                                                                                                            0x00ca382e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00ca3830
                                                                                                            0x00ca3830
                                                                                                            0x00ca3831
                                                                                                            0x00ca3832
                                                                                                            0x00ca3839
                                                                                                            0x00ca383b
                                                                                                            0x00ca383d
                                                                                                            0x00ca383e
                                                                                                            0x00ca383f
                                                                                                            0x00ca3846
                                                                                                            0x00ca3847
                                                                                                            0x00ca3849
                                                                                                            0x00ca384b
                                                                                                            0x00ca384d
                                                                                                            0x00ca384e
                                                                                                            0x00ca3850
                                                                                                            0x00ca3851
                                                                                                            0x00000000
                                                                                                            0x00ca3852
                                                                                                            0x00ca3784
                                                                                                            0x00ca3787
                                                                                                            0x00ca378a
                                                                                                            0x00ca3791
                                                                                                            0x00ca3792
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00ca3794
                                                                                                            0x00ca3795
                                                                                                            0x00ca3796
                                                                                                            0x00ca3798
                                                                                                            0x00ca37a2
                                                                                                            0x00ca37a4
                                                                                                            0x00ca37a6
                                                                                                            0x00ca37a8
                                                                                                            0x00ca37ae
                                                                                                            0x00ca37b1
                                                                                                            0x00ca37b2
                                                                                                            0x00ca37b3
                                                                                                            0x00000000
                                                                                                            0x00ca37b3
                                                                                                            0x00ca3746
                                                                                                            0x00ca3747
                                                                                                            0x00ca374a
                                                                                                            0x00ca374c
                                                                                                            0x00ca374d
                                                                                                            0x00ca374e
                                                                                                            0x00ca3751
                                                                                                            0x00000000

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.329599608.0000000000CA2000.00000002.00020000.sdmp, Offset: 00CA0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.329591834.0000000000CA0000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329871434.0000000000D14000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329881277.0000000000D1A000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329895626.0000000000D21000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329904761.0000000000D27000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329916227.0000000000D2D000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329924326.0000000000D37000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329936878.0000000000D3A000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329950139.0000000000D40000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329959158.0000000000D46000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329967385.0000000000D4C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329978641.0000000000D53000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329987908.0000000000D59000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.329998821.0000000000D5F000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.330010736.0000000000D65000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01c14d70fe5d80e94b578413803fed2fa69c53c68f516c60b04378970707f3be
                                                                                                            • Instruction ID: 1feb90602fc6e851d405730e2bfadaafdf8087b2df141d63fd4bb54acddce3b1
                                                                                                            • Opcode Fuzzy Hash: 01c14d70fe5d80e94b578413803fed2fa69c53c68f516c60b04378970707f3be
                                                                                                            • Instruction Fuzzy Hash: 9C4141B74152E29FCB12CF38C4A51C6BFB2FE133047295699D8C04B426C736760ACB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: badman.exe PID: 7052 Parent PID: 6584 badman.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 062C2E0C, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,062CA1A5,?,?,?), ref: 062CA40C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcessUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2217836671-0
                                                                                                            • Opcode ID: eada3fe80e7b1f359d6d112c0cf81593fda34eba4bb4d328465559a307d8313b
                                                                                                            • Instruction ID: 3eb7649dfcca179f1e81a050a3632e3f108712c52593c05bad4acad2ce964ad5
                                                                                                            • Opcode Fuzzy Hash: eada3fe80e7b1f359d6d112c0cf81593fda34eba4bb4d328465559a307d8313b
                                                                                                            • Instruction Fuzzy Hash: 3B91C0B5D0422D8FCB21CFA5C880BDDBBB1AF59314F0491AAE949B7210DB749A85CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CA21F, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,062CA1A5,?,?,?), ref: 062CA40C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcessUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2217836671-0
                                                                                                            • Opcode ID: 9421a255701063181d81cf611ee3eadf5b6c0619e64d22424e0a15531e2a3fab
                                                                                                            • Instruction ID: 764c4807edd329fe298e38225e80e869c6d3addd3557f9196a63b35e2d3a3491
                                                                                                            • Opcode Fuzzy Hash: 9421a255701063181d81cf611ee3eadf5b6c0619e64d22424e0a15531e2a3fab
                                                                                                            • Instruction Fuzzy Hash: 6A91CFB5D0422D8FCB21CFA5C880BDDBBB1BF59314F0491AAE949B7210DB749A85CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05FD434B, Relevance: 1.6, APIs: 1, Instructions: 147memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05FD4487
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.434651111.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 5c0e813ea732b33f026eb04dcbc17cc3da6026ef29d6803456a1bf58afd235b8
                                                                                                            • Instruction ID: d64101f6dcfe2100e72025645027c45d79a41d83c9cbaef5634be182c8d3d48f
                                                                                                            • Opcode Fuzzy Hash: 5c0e813ea732b33f026eb04dcbc17cc3da6026ef29d6803456a1bf58afd235b8
                                                                                                            • Instruction Fuzzy Hash: CD4158BAD042189FCF00CFA9D885ADEFBB2FB09310F58942AE950B7340D37899418F61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05FD4321, Relevance: 1.6, APIs: 1, Instructions: 145memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05FD4487
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.434651111.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 93ba16daad5fc03a5b52ca888574f7768218f0572432ab33136b0ed552ea3ed7
                                                                                                            • Instruction ID: 2e2f5debfc1fdf2ab1facbc6e5635dd07825a84bff3c4b2449e96d6a351bc3bf
                                                                                                            • Opcode Fuzzy Hash: 93ba16daad5fc03a5b52ca888574f7768218f0572432ab33136b0ed552ea3ed7
                                                                                                            • Instruction Fuzzy Hash: 994147BAD042589FCF00CFA9D885ADEFBB2EB19310F58942AE950B7740D3789941CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CD120, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 062CD1F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 11dd8f9d0eff83e811355d19adc0b64664fc7886ca041fb2e690cd857725b186
                                                                                                            • Instruction ID: 99d02cae4081c8f22acf5b28dc8d762e741f2496814f7c7c25a265e77608cf5a
                                                                                                            • Opcode Fuzzy Hash: 11dd8f9d0eff83e811355d19adc0b64664fc7886ca041fb2e690cd857725b186
                                                                                                            • Instruction Fuzzy Hash: C74199B4D052589FCF00CFA9D984ADEFBF1BF49314F14942AE818B7200D779AA45CBA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CCE38, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 062CCEE2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 119e62694dc77315943b5028b4aafdb22027a380a1ad3a7e17c2c2dbf7ad17b1
                                                                                                            • Instruction ID: 8f31beb9798c9ac100c4c2bb77deac2a16d8b2464be9efd261bf2c323bfdb634
                                                                                                            • Opcode Fuzzy Hash: 119e62694dc77315943b5028b4aafdb22027a380a1ad3a7e17c2c2dbf7ad17b1
                                                                                                            • Instruction Fuzzy Hash: C33188B8E042589FCF10CFA9D884ADEFBB5BB49324F10942AE815B7210D735A945CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CCE37, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 062CCEE2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 6c7adc20e2a0a499583dcd109728f52fc82a271b361fb3a734be866e2ad24131
                                                                                                            • Instruction ID: 512a257d7221c93c48c800388b1065308eb5d524d4875c11b3cdbb7fb9a3ce0a
                                                                                                            • Opcode Fuzzy Hash: 6c7adc20e2a0a499583dcd109728f52fc82a271b361fb3a734be866e2ad24131
                                                                                                            • Instruction Fuzzy Hash: 533188B8E052589FCF10CFA9D884ADEFBB1BB49324F14942AE815B7210D735A946CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CC208, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 062CC2BF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ContextThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1591575202-0
                                                                                                            • Opcode ID: 0e189f8a75578943d1c31d82eaa2bcfc5db27deba338c5d81d988b37470f0140
                                                                                                            • Instruction ID: 9a0a6ca4157923b89395c0374f4dec3119354fa50ae8502f8ec30fed5a4e42a3
                                                                                                            • Opcode Fuzzy Hash: 0e189f8a75578943d1c31d82eaa2bcfc5db27deba338c5d81d988b37470f0140
                                                                                                            • Instruction Fuzzy Hash: 6C41CBB4E052589FCB10CFA9D884AEEBBF0AB48324F14812AE819B7200C7789945CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CC210, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 062CC2BF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ContextThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1591575202-0
                                                                                                            • Opcode ID: a120360c68a74f8871819338892f107050100746e875b2162486cd5b3b7e559c
                                                                                                            • Instruction ID: 95bd772be34a6ee255ab762974319c13bbb0ddac56f44421a2e56248c7de4866
                                                                                                            • Opcode Fuzzy Hash: a120360c68a74f8871819338892f107050100746e875b2162486cd5b3b7e559c
                                                                                                            • Instruction Fuzzy Hash: FC31BAB5D052589FCB10CFE9D884AEEFBF0BB48324F14802AE818B7200D738A945CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CD570, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetThreadContext.KERNEL32(?,?), ref: 062CD61F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ContextThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1591575202-0
                                                                                                            • Opcode ID: 6c352c8dabb6ceb4fce7b208183050493111ebc4ee9272843fc4f5f19d71a6dc
                                                                                                            • Instruction ID: 22e0a1ec87320d8aa6c101e83719a1500882efa13fe73977370ef827176dbb9c
                                                                                                            • Opcode Fuzzy Hash: 6c352c8dabb6ceb4fce7b208183050493111ebc4ee9272843fc4f5f19d71a6dc
                                                                                                            • Instruction Fuzzy Hash: 6D31ADB4D052599FCB10CFA9D884AEEFBF1BF49314F14842AE819B7240D778A945CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05FDC4B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05FDC55F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.434651111.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 659021989571e7e0f2622639fe370da041decb30a14eb2d486123bfad8149b70
                                                                                                            • Instruction ID: 6923e0e0677fceb002754da30ea0ca0750e34abf9bb38880e3bd36e345ceb786
                                                                                                            • Opcode Fuzzy Hash: 659021989571e7e0f2622639fe370da041decb30a14eb2d486123bfad8149b70
                                                                                                            • Instruction Fuzzy Hash: 073199B9D042589FCF10CFA9D484ADEFBF1BB49310F14902AE814B7210D735A945CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05FD43E0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05FD4487
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.434651111.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 4ab0e59dbc4e3c2437aa6092c270ea80a3c3ca770e0da639ffdf0e75e7e33a88
                                                                                                            • Instruction ID: 535417a3bd4546dd28e81f186b5f47cce5defca110a471fafd42f4f23a1684ad
                                                                                                            • Opcode Fuzzy Hash: 4ab0e59dbc4e3c2437aa6092c270ea80a3c3ca770e0da639ffdf0e75e7e33a88
                                                                                                            • Instruction Fuzzy Hash: 153189B9D042589FCF10CFA9E484AEEFBF5BB09314F14902AE814B7210D775A985CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05FD52D4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(A30A991D), ref: 05FDF4B9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.434651111.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DeleteFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 4033686569-0
                                                                                                            • Opcode ID: a874e9398a4742329add65e857ff5fa927d8614ba35cf82c893bc7098ac8a931
                                                                                                            • Instruction ID: a85329a421c3f0e2f557788eb16a67d097a31f57f0eed206fabf724d44d7aace
                                                                                                            • Opcode Fuzzy Hash: a874e9398a4742329add65e857ff5fa927d8614ba35cf82c893bc7098ac8a931
                                                                                                            • Instruction Fuzzy Hash: B331BAB4D05218DFCB10CFA9D884AEEFBF5BB49314F18806AE415B7310D778AA45CBA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 062CD7C8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.435008078.00000000062C0000.00000040.00000001.sdmp, Offset: 062C0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 63d8bde1b3fc62df6933eb8887c9659541e46e8d0aaf6c6f142e776441e37798
                                                                                                            • Instruction ID: 6cd5e05ab56a6984822d7ec6f6999630c63fde8313dd1894329faa791975cf84
                                                                                                            • Opcode Fuzzy Hash: 63d8bde1b3fc62df6933eb8887c9659541e46e8d0aaf6c6f142e776441e37798
                                                                                                            • Instruction Fuzzy Hash: 8531A8B4D052189FCF14CFAAD884ADEFBB5AF49324F14952AE815B7300DB35A941CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00888638, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 008886B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.425666202.0000000000880000.00000040.00000001.sdmp, Offset: 00880000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 47582033b74d8dd6dfd57ec803323995977242e6ab39df3a9bde12ca6ba66987
                                                                                                            • Instruction ID: 063fea3c609cdf3c23a8940e7301022db41b337c7f2368da33ad4094677759b9
                                                                                                            • Opcode Fuzzy Hash: 47582033b74d8dd6dfd57ec803323995977242e6ab39df3a9bde12ca6ba66987
                                                                                                            • Instruction Fuzzy Hash: 14116070900345CFDF50DFAAC54879ABBF4FB48314F10842AD509E7604EB79A958CF96
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 008888E8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 0088895D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.425666202.0000000000880000.00000040.00000001.sdmp, Offset: 00880000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: d6bf2437885d5427391053a33124fa6057dad96d0e24ee4a0720467785b21b3b
                                                                                                            • Instruction ID: 39492531a7202f28ffbfbf5528c22eb1b4e627ad552ae3fc23bf8a21712886ac
                                                                                                            • Opcode Fuzzy Hash: d6bf2437885d5427391053a33124fa6057dad96d0e24ee4a0720467785b21b3b
                                                                                                            • Instruction Fuzzy Hash: 801167B0D04349CFDB10EFAAD9487AABFF4FB08314F50842AD444E3640CB79A944CBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0073D4C4, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.424952497.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0df8c9ad6d35f022c273d41765f9a9bd78609fb3737fe7959ec6b4a6581e140a
                                                                                                            • Instruction ID: cf3dc8d64b4d080839698fa433e232f2a9122366f89e62787709377e127b65a3
                                                                                                            • Opcode Fuzzy Hash: 0df8c9ad6d35f022c273d41765f9a9bd78609fb3737fe7959ec6b4a6581e140a
                                                                                                            • Instruction Fuzzy Hash: 5A21F8B1504244DFEB25DF14E9C0B26BF65FB98318F24C569E9054B247C33ADC65CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0073D4BF, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.424952497.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction ID: 1f5f22817ffee7367ecf3396ed260e7bdf16fcfa895c2f105db78fcd90ac419e
                                                                                                            • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction Fuzzy Hash: 0611B176504280CFDB12CF14D9C4B16BF71FB98324F24C6A9D8450B617C33AD966CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0073D819, Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.424952497.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: faf02cf10339fa463adeb67290145f39c36a5de48467f7a87abd20de1ab31911
                                                                                                            • Instruction ID: 88853ce3256377f6e50037a034fbfcb4a78b3159ae9bc526b43fe3d84cb76a2e
                                                                                                            • Opcode Fuzzy Hash: faf02cf10339fa463adeb67290145f39c36a5de48467f7a87abd20de1ab31911
                                                                                                            • Instruction Fuzzy Hash: ED01F7B14483449AF7204A26ECC47A2FBE8DF45328F18C45AEA045B287C37DAC84C6B1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0073D818, Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.424952497.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b22c1020ce48f0f91f295a1dc6ef090483a6b2ec51bad90606a72f22073de9f2
                                                                                                            • Instruction ID: 5cdecf2e97e734f024f70ddb75c4111ac70e724156d2603f284909672f289029
                                                                                                            • Opcode Fuzzy Hash: b22c1020ce48f0f91f295a1dc6ef090483a6b2ec51bad90606a72f22073de9f2
                                                                                                            • Instruction Fuzzy Hash: F0F09671444384AEEB208A16DCC4BA2FFE8EF41774F18C55AED485B287C379AC44CAB1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Analysis Process: InstallUtil.exe PID: 6980 Parent PID: 7052 InstallUtil.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 05DB223C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DBB213
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: 833c9dca89478280ef7867cea430e0281fbbd38ba87a45c33ede4daef7c46172
                                                                                                            • Instruction ID: 0dc35df776e1d4413fec24be357e41685e536f2674289024b67235ad9f918e42
                                                                                                            • Opcode Fuzzy Hash: 833c9dca89478280ef7867cea430e0281fbbd38ba87a45c33ede4daef7c46172
                                                                                                            • Instruction Fuzzy Hash: F8510674D00218CFEB14CFAAC8857DDBBB2BF48314F15811AE816BB351DBB4A844CB95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB8D98, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 05DBB5F8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DeleteFile
                                                                                                            • String ID: XT
                                                                                                            • API String ID: 4033686569-4263313721
                                                                                                            • Opcode ID: d2834d999c4cfda296dd62f50e429f140c8e911bfd0f717cdc364510ea1cf557
                                                                                                            • Instruction ID: 02be5d853162668897869880fdeee808c33aecbc834bb7b43f71793288b9660a
                                                                                                            • Opcode Fuzzy Hash: d2834d999c4cfda296dd62f50e429f140c8e911bfd0f717cdc364510ea1cf557
                                                                                                            • Instruction Fuzzy Hash: A32147B1C046598BDB10CF9AC8457DEFBF4FB48324F11816AD819B7240D778AA40CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB2202, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DBB213
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: e8a5c508086156fe4672ef40b64dbb072bff0def82b2d126ceaecc9df166583f
                                                                                                            • Instruction ID: 50ef499a6983582d739e852dc3ed86ffac66f9a40af1f2f46290fc2cce2e676b
                                                                                                            • Opcode Fuzzy Hash: e8a5c508086156fe4672ef40b64dbb072bff0def82b2d126ceaecc9df166583f
                                                                                                            • Instruction Fuzzy Hash: 7A5186B0D05318CFEB14CFA9C8947DDBBB2BF49314F05816AD856AB391DBB49844CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB8D80, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DBB213
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: bef871f10731febf1663fdf2e731aa5ec55ea84031df2baaad3553cb3ac52422
                                                                                                            • Instruction ID: 69bf9fe0c2f638fd41d04507a16b70c034ea180994a9247b5e30233d36714ab1
                                                                                                            • Opcode Fuzzy Hash: bef871f10731febf1663fdf2e731aa5ec55ea84031df2baaad3553cb3ac52422
                                                                                                            • Instruction Fuzzy Hash: 5E512670D04218CFEB14CFAAC8957DDBBB2BF49314F15812AD856BB350DBB49845CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB8D8C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DBB213
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: c67f645e4e84c0262a4434db573e992a89c588d66c5d31e68953e6a05f6140b4
                                                                                                            • Instruction ID: 3017f70bb913342b1ba8d6ea04380ad9d7ef56c50414fbf87d8c946fe3d6c578
                                                                                                            • Opcode Fuzzy Hash: c67f645e4e84c0262a4434db573e992a89c588d66c5d31e68953e6a05f6140b4
                                                                                                            • Instruction Fuzzy Hash: 1151F474D00218CFEB14CFAAC885BDDBBB2BF48314F15812AE816BB351D7B4A844CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DBB0CC, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DBB213
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: dce46d3f6de2422ae9abd8198bb6aeeeade6597fb8446cd4df551811d81f6ea0
                                                                                                            • Instruction ID: 90cc596e8516db00c5104fb0310bc70a9510b339c9d1b81e35aed602a82f5d0a
                                                                                                            • Opcode Fuzzy Hash: dce46d3f6de2422ae9abd8198bb6aeeeade6597fb8446cd4df551811d81f6ea0
                                                                                                            • Instruction Fuzzy Hash: 33510675D00218CFEB14CFAAC885BDDBBB2BF48314F15811AE816BB351D7B4A844CB95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E43567, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E451A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: f71f667c7d3b194fa3303cfe85a973fdbc481aacd0cf164de3b83e7c6de8f47b
                                                                                                            • Instruction ID: 81a8428c60d7a0a41da13ee6b4e82c203b9a43e1f2b3f3c0478352f7ae9504d3
                                                                                                            • Opcode Fuzzy Hash: f71f667c7d3b194fa3303cfe85a973fdbc481aacd0cf164de3b83e7c6de8f47b
                                                                                                            • Instruction Fuzzy Hash: B65105B1D10308EFDB14CF99D884ADEBBB1FF88354F64812AE819A7210D774A845CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E45084, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E451A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: b1de8115a44d2e98d63ae754996a1786e80f6f70e240f925be7098e13c065fb1
                                                                                                            • Instruction ID: 3cd920511712ebe894d658a6a1e73a043a94df420ceec7acfa3810a2dc9c9168
                                                                                                            • Opcode Fuzzy Hash: b1de8115a44d2e98d63ae754996a1786e80f6f70e240f925be7098e13c065fb1
                                                                                                            • Instruction Fuzzy Hash: AB51D6B1D00309EFDB15CF99D884ADDBBB5BF88314F24812AE518AB210D774A945CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E43574, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E451A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 956e08845818582d1f7f10c7d899c44bf435614ab0913931699e285eafe486f7
                                                                                                            • Instruction ID: e73d18f4a4f194cf7071768c7d120d1271aac5f2645432efbe8eb4761e3cff2e
                                                                                                            • Opcode Fuzzy Hash: 956e08845818582d1f7f10c7d899c44bf435614ab0913931699e285eafe486f7
                                                                                                            • Instruction Fuzzy Hash: AF51C5B1D00308EFDB14CF99D884ADEBBB5BF88314F24812AE919AB210D775A945CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E4779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E47F01
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 1541d163449b5f51a8a6b6e2c13cd1b1e4c9280ada97c591dea02b661b4aaffc
                                                                                                            • Instruction ID: d688f2d19cd51c3b3ebf323dabe27d44923acc6c77009bfea73d367b6624d174
                                                                                                            • Opcode Fuzzy Hash: 1541d163449b5f51a8a6b6e2c13cd1b1e4c9280ada97c591dea02b661b4aaffc
                                                                                                            • Instruction Fuzzy Hash: 534149B4A00205CFDB10CF99D489AAABBF5FF88318F249499E519A7321D734B941CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB3D6E, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 05DB3E42
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: c9a8d4be53dce162df6cc53eb288c8f15798862a5f4c6ce1166b7fa34b1ee436
                                                                                                            • Instruction ID: cb9bcf9a79b59d50c7f45b8934de0fc2169fea5a51837e33855fc27c504e0947
                                                                                                            • Opcode Fuzzy Hash: c9a8d4be53dce162df6cc53eb288c8f15798862a5f4c6ce1166b7fa34b1ee436
                                                                                                            • Instruction Fuzzy Hash: 4A3113B1D00259DFDB14CFA9C8857DEBBB2BB08314F148A2AE816A7340D7B5A845CF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DBB529, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 05DBB5F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DeleteFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 4033686569-0
                                                                                                            • Opcode ID: a8e3d5b83f2f59a02a84b52307b5ccd89098c004bcfb995e71e2083888f80d7e
                                                                                                            • Instruction ID: 117fa64b3262a3476c5de24e135205070d7a2f318dd3a95b9d4feee099ae7203
                                                                                                            • Opcode Fuzzy Hash: a8e3d5b83f2f59a02a84b52307b5ccd89098c004bcfb995e71e2083888f80d7e
                                                                                                            • Instruction Fuzzy Hash: EB31CDB1D04249CFEB00CFA9C945BDEBBF1AF48314F01856AD559A7781E778A901CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 05DB3D78, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 05DB3E42
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.503142912.0000000005DB0000.00000040.00000001.sdmp, Offset: 05DB0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 209489ddca464d1978d7580872c73d2b46161895779d0054b14f0e4da8df44cb
                                                                                                            • Instruction ID: 1105610735d84c22b9be82ab8a1b598865130eda3f5a28cfe43a746f4d0dc131
                                                                                                            • Opcode Fuzzy Hash: 209489ddca464d1978d7580872c73d2b46161895779d0054b14f0e4da8df44cb
                                                                                                            • Instruction Fuzzy Hash: 7D3105B4D00259DFDB14CFA9C8857DEBBF2BB08314F148A2AE816A7340D7B59445CF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E46B61, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E46B2E,?,?,?,?,?), ref: 04E46BEF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: ecde70755509e2927da833b9f06dfbc55cb010b126dff2a6aeaaadeac0300695
                                                                                                            • Instruction ID: 0737da985803f186e5220e10cf82c55535095ddb2cddf57afe412aee7482832d
                                                                                                            • Opcode Fuzzy Hash: ecde70755509e2927da833b9f06dfbc55cb010b126dff2a6aeaaadeac0300695
                                                                                                            • Instruction Fuzzy Hash: 5E21F5B59002489FDB10CFA9D984ADEFBF4FB49364F14846AE918A3310D778A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E4651C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E46B2E,?,?,?,?,?), ref: 04E46BEF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 09f537c079805b6d2a205841d5c12ed6c61c82a01f848ed8e878dcbd0faf0ff6
                                                                                                            • Instruction ID: 387b351cc7230da4b62e31a65365940149bc8f513c5c4e0012f2feddc32c4b57
                                                                                                            • Opcode Fuzzy Hash: 09f537c079805b6d2a205841d5c12ed6c61c82a01f848ed8e878dcbd0faf0ff6
                                                                                                            • Instruction Fuzzy Hash: CC2114B59002489FDB10CFA9D984ADEBBF4FB48324F14846AE914A3310D378A940CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E4BDF8, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 04E4BE82
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 65be0a6dbef7f705c8dcf5b31505c454b784b12f16f9add0af4e9a2ef6e1163e
                                                                                                            • Instruction ID: 57747c8ff4fb28804df3c7f5f2fc31c3f7d9cf66e7dc4100e0773d3475bf0b7e
                                                                                                            • Opcode Fuzzy Hash: 65be0a6dbef7f705c8dcf5b31505c454b784b12f16f9add0af4e9a2ef6e1163e
                                                                                                            • Instruction Fuzzy Hash: F1219FB19013498FDB20CFAAD4493DEBBF4FB49318F20846AD545A7641D739B905CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04E4BE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 04E4BE82
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.500913837.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: f8fb4453ca60e72da6e6d640d8ebd109e69c8902f533e0353c9dc7674c37f16f
                                                                                                            • Instruction ID: 542bcc82a87a693f0c11690a825468e9071e63c4771ff6012092776f83c75afe
                                                                                                            • Opcode Fuzzy Hash: f8fb4453ca60e72da6e6d640d8ebd109e69c8902f533e0353c9dc7674c37f16f
                                                                                                            • Instruction Fuzzy Hash: C7117CB19403498FDB20DFAAD5487DEBBF4FB88318F20842AD555A7641D739BA04CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EAD53C, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496643388.0000000000EAD000.00000040.00000001.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 47e1a8ce7d872aec727079eb1a8dfeef1ca0ba4262dddb4cc5782cf55ca32636
                                                                                                            • Instruction ID: d2ff5150ebfcd8b6197f6768d629240e64a126fa749c335ab9a77b7e6d4fa2e7
                                                                                                            • Opcode Fuzzy Hash: 47e1a8ce7d872aec727079eb1a8dfeef1ca0ba4262dddb4cc5782cf55ca32636
                                                                                                            • Instruction Fuzzy Hash: AD2145B1908244DFCB05DF00DCC0B26BF65FB9D328F248568E8065F646C336E856CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EAD450, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496643388.0000000000EAD000.00000040.00000001.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c7dce9dbd48d33409911f8c1b5143d7795920ac78ff620a5c78f3834e87457c4
                                                                                                            • Instruction ID: ac75a2f81bd07d585238aa721b727af5593a6dbed5f24b688231c308a120e3f5
                                                                                                            • Opcode Fuzzy Hash: c7dce9dbd48d33409911f8c1b5143d7795920ac78ff620a5c78f3834e87457c4
                                                                                                            • Instruction Fuzzy Hash: B82121B1908244DFDB00DF10D8C0B66BB65FB8D328F248568E9065F606C336E845CAA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EBD01C, Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496793040.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cfa887e4feae933813405dd321427c248454160a4355829efceea41bb08d67f9
                                                                                                            • Instruction ID: 476524558369637c086a4f03dfd5aecdf4487a5c733a2efc316b977dd862fc24
                                                                                                            • Opcode Fuzzy Hash: cfa887e4feae933813405dd321427c248454160a4355829efceea41bb08d67f9
                                                                                                            • Instruction Fuzzy Hash: 862125B1608240DFCB14EF14D9C0B57BB66FB88318F24C569D8095B246D33AD846CAA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EBD005, Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496793040.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc5d6eb33e7e09f23b472e66d344fe192b1d3fb824988fe4c1c73fb8624cecd4
                                                                                                            • Instruction ID: affc11755413a2019d0f110cd00493cbde76666d47f1c47557b05abf58935347
                                                                                                            • Opcode Fuzzy Hash: dc5d6eb33e7e09f23b472e66d344fe192b1d3fb824988fe4c1c73fb8624cecd4
                                                                                                            • Instruction Fuzzy Hash: 9C21927550D3C08FCB12CF24D994756BF71EB46314F28C5EAD8498B697C33A980ACB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EAD44B, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496643388.0000000000EAD000.00000040.00000001.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction ID: 6d42e1f338aa9d06174f0eb5bbcb6ed5e2fa3805693564efa8e8c58c47549d4f
                                                                                                            • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction Fuzzy Hash: 9711B176808280CFDF11CF14D9C4B16BF71FB99328F2486A9D8051B616C336E85ACBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EAD537, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000019.00000002.496643388.0000000000EAD000.00000040.00000001.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction ID: 9f96184d5cb1049de9dfc6e55255d47459f6844b5f664c983492b997b50397a7
                                                                                                            • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                                            • Instruction Fuzzy Hash: 4011B176804280CFCB16CF10D9C4B16BF72FB99328F24C6A9D8095F616C336E856CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions