Loading ...

Play interactive tourEdit tour

Analysis Report MPO-003234.exe

Overview

General Information

Sample Name:MPO-003234.exe
Analysis ID:356523
MD5:8bc8526fbaafbac33118ee652ac97da6
SHA1:7b23c7209b8f37bb32803971c36ab706b4a8e34d
SHA256:cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MPO-003234.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MPO-003234.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
    • cmd.exe (PID: 6720 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6764 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • badman.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)
      • InstallUtil.exe (PID: 6980 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.MPO-003234.exe.4b021b8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.badman.exe.3ee08b0.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                16.2.badman.exe.3e089da.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.MPO-003234.exe.4acc202.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.MPO-003234.exe.4a602a2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeReversingLabs: Detection: 19%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MPO-003234.exeVirustotal: Detection: 24%Perma Link
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: MPO-003234.exeJoe Sandbox ML: detected
                      Source: 25.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: MPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1p
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g5~
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gp
                      Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjp
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: MPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: http://wqDPxI.com
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: badman.exe, 00000010.00000002.426259290.00000000008F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: MPO-003234.exe, c3R/Xn4.csLarge array initialization: .cctor: array initializer size 10710
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E0C CreateProcessAsUserW,
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA366F
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014ACD20
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_014AFCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C366F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_0088FCE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD75B0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5470
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDF748
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD6730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE648
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC610
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDDE60
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD7566
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44F0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD34E8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD44E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84D8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD74DB
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD84CA
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5461
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9730
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD6720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9720
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDD658
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61E0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD61D2
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9090
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9080
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DC8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9DB9
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD5CD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDE9F8
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9968
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9958
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDC8C0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BE0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD9BD0
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2218
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C7268
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C3377
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C6B47
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0C78
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C5087
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C90DF
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CB970
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C3D5F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2210
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B68
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0B4F
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C0BA9
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_006E20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E446A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E445B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4D270
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB6508
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB7120
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB90D8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB6850
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: MPO-003234.exeBinary or memory string: OriginalFilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000000.227384578.0000000000D65000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341301388.0000000006E50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336807432.00000000050F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerqKssByvppSbVMHQvZHbRwnFF.exe4 vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.341162327.0000000006B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MPO-003234.exe
                      Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MPO-003234.exe
                      Source: MPO-003234.exeBinary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
                      Source: MPO-003234.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@0/1
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: MPO-003234.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MPO-003234.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\badman.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: MPO-003234.exeVirustotal: Detection: 24%
                      Source: MPO-003234.exeReversingLabs: Detection: 19%
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-24
                      Source: badman.exeString found in binary or memory: icons8-add-32
                      Source: badman.exeString found in binary or memory: icons8-add-48
                      Source: badman.exeString found in binary or memory: icons8-add-administrator-50
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-24
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-32[
                      Source: MPO-003234.exeString found in binary or memory: icons8-add-48
                      Source: MPO-003234.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile read: C:\Users\user\Desktop\MPO-003234.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MPO-003234.exe 'C:\Users\user\Desktop\MPO-003234.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: MPO-003234.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MPO-003234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
                      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA55FE push FFFFFFD7h; ret
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA558A push FFFFFFD7h; ret
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA5560 push FFFFFFD7h; ret
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4112 push edx; ret
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4122 push esi; ret
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA4AE9 push ebp; retf
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3294 push eax; retf
                      Source: C:\Users\user\Desktop\MPO-003234.exeCode function: 0_2_00CA3204 push cs; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4112 push edx; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4122 push esi; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C5560 push FFFFFFD7h; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C558A push FFFFFFD7h; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C55FE push FFFFFFD7h; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3204 push cs; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C3294 push eax; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_000C4AE9 push ebp; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FDA0C4 push ecx; iretd
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_05FD3E22 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2E58 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062CD2F2 push ebp; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C2F35 push eax; retf
                      Source: C:\Users\user\AppData\Roaming\badman.exeCode function: 16_2_062C9B58 pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04E4B537 push 6C00005Eh; retf
                      Source: MPO-003234.exe, Ed8/Hb5.csHigh entropy of concatenated method names: '.ctor', 'a3S', 'Lq4', 't3R', 'Qw5', 'k1P', 'Fb7', 'Me5', 'Tz6', 'a4K'
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Roaming\badman.exeJump to dropped file
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates multiple autostart registry keysShow sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neilJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDtJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened: C:\Users\user\Desktop\MPO-003234.exe\:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Roaming\badman.exeFile opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\MPO-003234.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\MPO-003234.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\MPO-003234.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\badman.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 3943
                      Source: C:\Users\user\Desktop\MPO-003234.exeWindow / User API: threadDelayed 5674
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 7599
                      Source: C:\Users\user\AppData\Roaming\badman.exeWindow / User API: threadDelayed 2127
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 362
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9461
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 3943 > 30
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696Thread sleep count: 5674 > 30
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680Thread sleep count: 40 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 7599 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084Thread sleep count: 2127 > 30
                      Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 362 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500Thread sleep count: 9461 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792Thread sleep count: 34 > 30
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware svga
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vboxservice
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-Vmicrosoft
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware usb pointing device
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmusrvc
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware pointing device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware sata
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmsrvc
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmtools
                      Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware virtual s scsi disk device
                      Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmpBinary or memory string: vmware vmci bus device
                      Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\MPO-003234.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000
                      Source: C:\Users\user\AppData\Roaming\badman.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 820008
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\Desktop\MPO-003234.exeProcess created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                      Source: C:\Users\user\AppData\Roaming\badman.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Users\user\Desktop\MPO-003234.exe VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MPO-003234.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\badman.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_05DB223C GetUserNameW,
                      Source: C:\Users\user\Desktop\MPO-003234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection212Software Packing1Security Account ManagerSystem Information Discovery113SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Masquerading1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion14Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356523 Sample: MPO-003234.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 Yara detected AntiVM_3 2->41 43 2 other signatures 2->43 7 MPO-003234.exe 15 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\badman.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->29 dropped 31 C:\Users\user\...\badman.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\MPO-003234.exe.log, ASCII 7->33 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->53 11 badman.exe 14 3 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 dnsIp7 35 192.168.2.1 unknown unknown 11->35 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Writes to foreign memory regions 11->59 61 2 other signatures 11->61 17 InstallUtil.exe 2 4 11->17         started        21 reg.exe 1 1 15->21         started        23 conhost.exe 15->23         started        signatures8 process9 file10 25 C:\Users\user\AppData\Roaming\...\zUbDt.exe, PE32 17->25 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->47 49 Creates multiple autostart registry keys 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MPO-003234.exe24%VirustotalBrowse
                      MPO-003234.exe19%ReversingLabsWin32.Trojan.Wacatac
                      MPO-003234.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\badman.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\badman.exe19%ReversingLabsWin32.Trojan.Wacatac
                      C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      25.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://ns.adobe.cobj0%URL Reputationsafe
                      http://wqDPxI.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                      http://ns.adobe.c/gp0%Avira URL Cloudsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                      http://ns.adb0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://ns.adobe.c/g%%0%Avira URL Cloudsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                      http://ns.adobe.cobjp0%Avira URL Cloudsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      http://ns.adobe.c/g5~0%Avira URL Cloudsafe
                      http://ns.ado/1p0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe
                      http://ns.ado/10%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://DynDns.comDynDNSInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ns.adobe.cobjMPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://wqDPxI.comInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ocsp.pki.goog/gts1o1core0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ns.adobe.c/gpMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.pki.goog/GTS1O1core.crl0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ns.adbMPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://api.ipify.org%GETMozilla/5.0InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      low
                      http://ns.adobe.c/g%%badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://pki.goog/gsr2/GTS1O1.crt0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ns.adobe.cobjpMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://ns.adobe.c/gMPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://crl.pki.goog/gsr2/gsr2.crl0?MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ocsp.pki.goog/gsr202MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://pki.goog/repository/0MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ns.adobe.c/g5~badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://ns.ado/1pMPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmpfalse
                        high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipMPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schema.org/WebPageMPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmpfalse
                          high
                          http://ns.ado/1MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:356523
                          Start date:23.02.2021
                          Start time:09:28:13
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 11m 22s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:MPO-003234.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:31
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@10/6@0/1
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 3.6% (good quality ratio 1.8%)
                          • Quality average: 24.9%
                          • Quality standard deviation: 30.8%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 51.11.168.160, 52.255.188.83, 92.122.145.220, 104.43.193.48, 168.61.161.212, 142.250.185.164, 23.210.248.85, 93.184.221.240, 51.103.5.186, 204.79.197.200, 13.107.21.200, 51.104.144.132, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:29:09API Interceptor194x Sleep call for process: MPO-003234.exe modified
                          09:29:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          09:29:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run neil C:\Users\user\AppData\Roaming\badman.exe
                          09:29:58API Interceptor222x Sleep call for process: badman.exe modified
                          09:30:48API Interceptor135x Sleep call for process: InstallUtil.exe modified
                          09:30:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run zUbDt C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe
                          09:31:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run zUbDt C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exePayment copy.exeGet hashmaliciousBrowse
                            New Order.exeGet hashmaliciousBrowse
                              YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                  SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                      DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                        index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                          XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                            IMG_144907.exeGet hashmaliciousBrowse
                                              VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                  Sorted Properties.exeGet hashmaliciousBrowse
                                                    DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                      New Order 83329 PDF.exeGet hashmaliciousBrowse
                                                        NEW TENDER_ORDER 900930390097733000999_10_02_2021.exeGet hashmaliciousBrowse
                                                          Proforma Invoice February.exeGet hashmaliciousBrowse
                                                            jmsg.exeGet hashmaliciousBrowse
                                                              FORM DB_DHL_AWB_029920292092039993029333221 AD.exeGet hashmaliciousBrowse
                                                                Mortgage Description.exeGet hashmaliciousBrowse
                                                                  C:\Users\user\AppData\Local\Temp\InstallUtil.exePayment copy.exeGet hashmaliciousBrowse
                                                                    New Order.exeGet hashmaliciousBrowse
                                                                      YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                                                        RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                                                              DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                                                                index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                                                                  XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                                                    IMG_144907.exeGet hashmaliciousBrowse
                                                                                      VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                                                        lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                                                          Sorted Properties.exeGet hashmaliciousBrowse
                                                                                            DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                                                              New Order 83329 PDF.exeGet hashmaliciousBrowse
                                                                                                NEW TENDER_ORDER 900930390097733000999_10_02_2021.exeGet hashmaliciousBrowse
                                                                                                  Proforma Invoice February.exeGet hashmaliciousBrowse
                                                                                                    jmsg.exeGet hashmaliciousBrowse
                                                                                                      FORM DB_DHL_AWB_029920292092039993029333221 AD.exeGet hashmaliciousBrowse
                                                                                                        Mortgage Description.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MPO-003234.exe.log
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):1214
                                                                                                          Entropy (8bit):5.358666369753595
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                                                          MD5:1F3BB210B09FE31192C6A822966919E9
                                                                                                          SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                                                          SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                                                          SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\badman.exe.log
                                                                                                          Process:C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1214
                                                                                                          Entropy (8bit):5.358666369753595
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoM:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoH
                                                                                                          MD5:1F3BB210B09FE31192C6A822966919E9
                                                                                                          SHA1:A8715FFF2F9D1BE024F462CF702D1E7F71AA4B4F
                                                                                                          SHA-256:C6B3057777EE46AC3544F9FA829E918CD7EF70E490424616650DDA01BF214043
                                                                                                          SHA-512:26897678275FEFDFD96FCB7F7FAFFD5FB0BC0FEB35C89BEB4BA15D074155A06236E8681A2CA9C9DCFDDF2462644CD3603C3592AB310BA84E3D93C8BF2CE28DD5
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                                                          C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):41064
                                                                                                          Entropy (8bit):6.164873449128079
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                          • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                          • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                          • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                          • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                          • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                          • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                          • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                          • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                          • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order 83329 PDF.exe, Detection: malicious, Browse
                                                                                                          • Filename: NEW TENDER_ORDER 900930390097733000999_10_02_2021.exe, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice February.exe, Detection: malicious, Browse
                                                                                                          • Filename: jmsg.exe, Detection: malicious, Browse
                                                                                                          • Filename: FORM DB_DHL_AWB_029920292092039993029333221 AD.exe, Detection: malicious, Browse
                                                                                                          • Filename: Mortgage Description.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                          C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):877568
                                                                                                          Entropy (8bit):6.6376111502973485
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:woUUhJQ3Krcrlhiz6021uysHmL95K0/Y7n03vSt0BgVb:wvKrcBgp2IyGuK0/Y70f7
                                                                                                          MD5:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          SHA1:7B23C7209B8F37BB32803971C36AB706B4A8E34D
                                                                                                          SHA-256:CFE1F69C2984DE3F5D476DB3CE45AA4D95A8137F0FF1BA07C1B0CECF15075C93
                                                                                                          SHA-512:439595E5CAE6B32B36223DF24D3DE1FA67BD8EE46ED84358D64633DEBA39B4A25DC38DB1BEF947B9C74E4A3226758876A673AEE353D3E94B168E32BE9BCD822C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 19%
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.3K.................X...........w... ........@.. ....................................`..................................v..S.................................................................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............b..............@..B.................v......H....... ...............................................................).F...<......*...U...u.....d...F....yg.#."..#.P...+.m..\....y......b...i.)e.W.RmV..p~.f...a.l.5..9a...E...uR....O.1...&.T......|F......e....m~.m.S ..`........ ....y."\+.A:....C.....X.1.b..X..yIg.Z.T.1..I.5Q.S....D..K......../.......1k.t.......2........bl.Q..\N...dH.E.-....c.E.3.w...W<..".`.8..H.N..x.m.`.|.y..C.5....#.._...1.).w.a..$.(.1.^.r.:...T.E....<..41......t....-;]2|.U.zn.Bcr.
                                                                                                          C:\Users\user\AppData\Roaming\badman.exe:Zone.Identifier
                                                                                                          Process:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                          C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):41064
                                                                                                          Entropy (8bit):6.164873449128079
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                          • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                          • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                          • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                          • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                          • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                          • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                          • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                          • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                          • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                          • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order 83329 PDF.exe, Detection: malicious, Browse
                                                                                                          • Filename: NEW TENDER_ORDER 900930390097733000999_10_02_2021.exe, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice February.exe, Detection: malicious, Browse
                                                                                                          • Filename: jmsg.exe, Detection: malicious, Browse
                                                                                                          • Filename: FORM DB_DHL_AWB_029920292092039993029333221 AD.exe, Detection: malicious, Browse
                                                                                                          • Filename: Mortgage Description.exe, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):6.6376111502973485
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:MPO-003234.exe
                                                                                                          File size:877568
                                                                                                          MD5:8bc8526fbaafbac33118ee652ac97da6
                                                                                                          SHA1:7b23c7209b8f37bb32803971c36ab706b4a8e34d
                                                                                                          SHA256:cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
                                                                                                          SHA512:439595e5cae6b32b36223df24d3de1fa67bd8ee46ed84358d64633deba39b4a25dc38db1bef947b9c74e4a3226758876a673aee353d3e94b168e32be9bcd822c
                                                                                                          SSDEEP:12288:woUUhJQ3Krcrlhiz6021uysHmL95K0/Y7n03vSt0BgVb:wvKrcBgp2IyGuK0/Y70f7
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.3K.................X...........w... ........@.. ....................................`................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4d770e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                          Time Stamp:0x4B33FC50 [Thu Dec 24 23:42:08 2009 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd76b80x53.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x616.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xd57140xd5800False0.635758196721SysEx File -6.6463233151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xd80000x6160x800False0.349609375data3.66123376299IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_VERSION0xd80a00x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                                                          RT_MANIFEST0xd842c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          Translation0x0000 0x04b0
                                                                                                          LegalCopyrightCopyright 2011 E5?5I5:6IG=BH49I2J<;6C
                                                                                                          Assembly Version1.0.0.0
                                                                                                          InternalNameRaj.exe
                                                                                                          FileVersion7.11.14.18
                                                                                                          CompanyNameE5?5I5:6IG=BH49I2J<;6C
                                                                                                          CommentsAF95E:7>3632AD@G@9
                                                                                                          ProductName5EGCD4ACFEGCGA7;?A2
                                                                                                          ProductVersion7.11.14.18
                                                                                                          FileDescription5EGCD4ACFEGCGA7;?A2
                                                                                                          OriginalFilenameRaj.exe

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 23, 2021 09:28:55.101944923 CET6124253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.126588106 CET5856253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.150718927 CET53612428.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:55.176758051 CET5659053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:55.178112030 CET53585628.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:55.225357056 CET53565908.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:28:58.107235909 CET6050153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:28:58.172266960 CET53605018.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:01.079483032 CET5377553192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:01.130961895 CET53537758.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:02.069763899 CET5183753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:02.118594885 CET53518378.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:03.205269098 CET5541153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:03.254051924 CET53554118.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.208017111 CET6366853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.257010937 CET53636688.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.298306942 CET5464053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.357367039 CET53546408.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.622805119 CET5873953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.671376944 CET53587398.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:04.687341928 CET6033853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:04.736023903 CET53603388.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:05.337219954 CET5871753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:05.386883020 CET53587178.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:09.311932087 CET5976253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:09.360644102 CET53597628.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:10.319719076 CET5432953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:10.368494987 CET53543298.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:11.290817022 CET5805253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:11.339703083 CET53580528.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:12.295756102 CET5400853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:12.344485044 CET53540088.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:13.266511917 CET5945153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:13.318264008 CET53594518.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:14.236737967 CET5291453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:14.285512924 CET53529148.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:15.220974922 CET6456953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:15.279983044 CET53645698.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:16.285648108 CET5281653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:16.345727921 CET53528168.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:18.440898895 CET5078153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:18.493890047 CET53507818.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:20.617420912 CET5423053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:20.668917894 CET53542308.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:21.480077982 CET5491153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:21.540224075 CET53549118.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:22.158849001 CET4995853192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:22.207703114 CET53499588.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:24.030318022 CET5086053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:24.081851959 CET53508608.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:30.098707914 CET5045253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:30.158178091 CET53504528.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:31.191107988 CET5973053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:31.239974022 CET53597308.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:32.180849075 CET5931053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:32.233937025 CET53593108.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:34.110220909 CET5191953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:34.160742998 CET53519198.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:50.333293915 CET6429653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:50.382025003 CET53642968.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:51.508300066 CET5668053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:51.556991100 CET53566808.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.156857014 CET5882053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.208484888 CET53588208.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.660867929 CET6098353192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.713583946 CET53609838.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:53.726845980 CET4924753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:53.775630951 CET53492478.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:29:56.399905920 CET5228653192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:29:56.448682070 CET53522868.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:04.419305086 CET5606453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:04.480340004 CET53560648.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:21.199871063 CET6374453192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:21.251580954 CET53637448.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:21.903512001 CET6145753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:21.966276884 CET53614578.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:22.318589926 CET5836753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:22.378510952 CET53583678.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:22.550931931 CET6059953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:22.608385086 CET53605998.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:23.137856007 CET5957153192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:23.196151018 CET53595718.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:23.692564964 CET5268953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:23.750958920 CET53526898.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:24.330089092 CET5029053192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:24.390232086 CET53502908.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:25.018570900 CET6042753192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:25.079519033 CET53604278.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:25.962924004 CET5620953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:26.011715889 CET53562098.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:26.881119013 CET5958253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:26.940684080 CET53595828.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:27.540143013 CET6094953192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:27.600292921 CET53609498.8.8.8192.168.2.7
                                                                                                          Feb 23, 2021 09:30:55.509000063 CET5854253192.168.2.78.8.8.8
                                                                                                          Feb 23, 2021 09:30:55.557792902 CET53585428.8.8.8192.168.2.7

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Start time:09:29:01
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\Desktop\MPO-003234.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\MPO-003234.exe'
                                                                                                          Imagebase:0xca0000
                                                                                                          File size:877568 bytes
                                                                                                          MD5 hash:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          General

                                                                                                          Start time:09:29:07
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0x870000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Start time:09:29:08
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Start time:09:29:08
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0x1370000
                                                                                                          File size:59392 bytes
                                                                                                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Start time:09:29:49
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\badman.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\badman.exe'
                                                                                                          Imagebase:0xc0000
                                                                                                          File size:877568 bytes
                                                                                                          MD5 hash:8BC8526FBAAFBAC33118EE652AC97DA6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 19%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          General

                                                                                                          Start time:09:30:28
                                                                                                          Start date:23/02/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
                                                                                                          Imagebase:0x6e0000
                                                                                                          File size:41064 bytes
                                                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          Reputation:moderate

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >