Loading ...

Play interactive tourEdit tour

Analysis Report MPO-003234.exe

Overview

General Information

Sample Name:MPO-003234.exe
Analysis ID:356523
MD5:8bc8526fbaafbac33118ee652ac97da6
SHA1:7b23c7209b8f37bb32803971c36ab706b4a8e34d
SHA256:cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MPO-003234.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MPO-003234.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
    • cmd.exe (PID: 6720 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6764 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • badman.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
      • InstallUtil.exe (PID: 6980 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.MPO-003234.exe.4b021b8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.badman.exe.3ee08b0.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                16.2.badman.exe.3e089da.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.MPO-003234.exe.4acc202.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.MPO-003234.exe.4a602a2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeReversingLabs: Detection: 19%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MPO-003234.exeVirustotal: Detection: 24%Perma Link
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: MPO-003234.exeJoe Sandbox ML: detected
                      Source: 25.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: MPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1p
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g5~
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gp
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjp
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: MPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://wqDPxI.com
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: badman.exe, 00000010.00000002.426259290.00000000008F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: MPO-003234.exe, c3R/Xn4.csLarge array initialization: .cctor: array initializer size 10710
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E0C CreateProcessAsUserW,16_2_062C2E0C
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA366F0_2_00CA366F
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014ACD200_2_014ACD20
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014AFCE00_2_014AFCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C366F16_2_000C366F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_0088FCE016_2_0088FCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD75B016_2_05FD75B0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34F816_2_05FD34F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD547016_2_05FD5470
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDF74816_2_05FDF748
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD673016_2_05FD6730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE64816_2_05FDE648
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC61016_2_05FDC610
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CE016_2_05FD5CE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDDE6016_2_05FDDE60
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD756616_2_05FD7566
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44F016_2_05FD44F0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34E816_2_05FD34E8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44E016_2_05FD44E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84D816_2_05FD84D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD74DB16_2_05FD74DB
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84CA16_2_05FD84CA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD546116_2_05FD5461
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD973016_2_05FD9730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD672016_2_05FD6720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD972016_2_05FD9720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDD65816_2_05FDD658
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61E016_2_05FD61E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61D216_2_05FD61D2
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD909016_2_05FD9090
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD908016_2_05FD9080
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DC816_2_05FD9DC8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DB916_2_05FD9DB9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CD016_2_05FD5CD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE9F816_2_05FDE9F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD996816_2_05FD9968
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD995816_2_05FD9958
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC8C016_2_05FDC8C0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BE016_2_05FD9BE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BD016_2_05FD9BD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C221816_2_062C2218
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C726816_2_062C7268
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C337716_2_062C3377
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C6B4716_2_062C6B47
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0C7816_2_062C0C78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C508716_2_062C5087
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C90DF16_2_062C90DF
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CB97016_2_062CB970
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C3D5F16_2_062C3D5F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C221016_2_062C2210
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B6816_2_062C9B68
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0B4F16_2_062C0B4F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0BA916_2_062C0BA9
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_006E20B025_2_006E20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E446A025_2_04E446A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E445B025_2_04E445B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4D27025_2_04E4D270
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB650825_2_05DB6508
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB712025_2_05DB7120
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB90D825_2_05DB90D8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB685025_2_05DB6850
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: MPO-003234.exeBinary or memory string: OriginalFilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000000.227384578.0000000000D65000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341301388.0000000006E50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336807432.00000000050F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerqKssByvppSbVMHQvZHbRwnFF.exe4 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341162327.0000000006B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MPO-003234.exe
                      Source: MPO-003234.exeBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@0/1
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: MPO-003234.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MPO-003234.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: MPO-003234.exeVirustotal: Detection: 24%
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-24
                      Source: badman.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32[
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\MPO-003234.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MPO-003234.exe 'C:\Users\user\Desktop\MPO-003234.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: MPO-003234.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA55FE push FFFFFFD7h; ret 0_2_00CA5608
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA558A push FFFFFFD7h; ret 0_2_00CA5578
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA5560 push FFFFFFD7h; ret 0_2_00CA5578
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4112 push edx; ret 0_2_00CA4113
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4122 push esi; ret 0_2_00CA4123
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4AE9 push ebp; retf 0_2_00CA4AEA
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3294 push eax; retf 0_2_00CA3295
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3204 push cs; iretd 0_2_00CA3205
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4112 push edx; ret 16_2_000C4113
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4122 push esi; ret 16_2_000C4123
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C5560 push FFFFFFD7h; ret 16_2_000C5578
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C558A push FFFFFFD7h; ret 16_2_000C5578
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C55FE push FFFFFFD7h; ret 16_2_000C5608
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3204 push cs; iretd 16_2_000C3205
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3294 push eax; retf 16_2_000C3295
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4AE9 push ebp; retf 16_2_000C4AEA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDA0C4 push ecx; iretd 16_2_05FDA0C6
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD3E22 push ecx; ret 16_2_05FD3E26
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E58 pushfd ; retf 16_2_062C2E61
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CD2F2 push ebp; retf 16_2_062CD2FE
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2F35 push eax; retf 16_2_062C2F3A
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B58 pushad ; retf 16_2_062C9B65
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4B537 push 6C00005Eh; retf 25_2_04E4B551
                      Source: MPO-003234.exe, Ed8/Hb5.csHigh entropy of concatenated method names: '.ctor', 'a3S', 'Lq4', 't3R', 'Qw5', 'k1P', 'Fb7', 'Me5', 'Tz6', 'a4K'
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to dropped file
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates multiple autostart registry keysShow sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Users\user\Desktop\MPO-003234.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 3943Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 5674Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 7599Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 2127Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 362Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9461Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 3943 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 5674 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep count: 40 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 7599 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 2127 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 362 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 9461 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware svga
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vboxservice
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine cou