Analysis Report Purchase_Order-Documents.exe

Overview

General Information

Sample Name:	Purchase_Order-Documents.exe
Analysis ID:	358397
MD5:	970bce067ae6cdcf4cdf30a0a1f87186
SHA1:	75b2a8726790ca34db04a003ba3547a1eb28f3fd
SHA256:	f828f3f4109c84bc59b919c268c2d73ed8f1b327b3c3afd64184c2ddf2ae3aa5
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.Purchase_Order-Documents.exe.3ded5a0.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "kehoach@cuulongcorp.com.vnClkehoach9999@mail.cuulongcorp.com.vnkhanhkythuats@davitecco.com"}

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iplcwcpzEHCt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Purchase_Order-Documents.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Purchase_Order-Documents.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.Purchase_Order-Documents.exe.7e0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Compliance:

Uses 32bit PE files

Source: Purchase_Order-Documents.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Purchase_Order-Documents.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_01240F70
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_01240F68
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 4x nop then jmp 0E88A745h	1_2_0E88A60D
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0E88C480
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0E88C470

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49736 -> 210.245.86.30:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49737 -> 210.245.86.30:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49736 -> 210.245.86.30:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 210.245.86.30 210.245.86.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FPT-AS-APTheCorporationforFinancingPromotingTechnolo FPT-AS-APTheCorporationforFinancingPromotingTechnolo

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49736 -> 210.245.86.30:587

Source: unknown

DNS traffic detected: queries for: mail.cuulongcorp.com.vn

Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Purchase_Order-Documents.exe, 00000006.00000002.501834551.00000000034E9000.00000004.00000001.sdmp	String found in binary or memory: http://mail.cuulongcorp.com.vn
Source: Purchase_Order-Documents.exe, 00000001.00000002.242382284.0000000002C31000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: http://vfhLbj.com
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Purchase_Order-Documents.exe, 00000001.00000002.243729384.0000000003C8B000.00000004.00000001.sdmp, Purchase_Order-Documents.exe, 00000006.00000002.496530839.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp, Purchase_Order-Documents.exe, 00000006.00000002.501881878.00000000034F8000.00000004.00000001.sdmp	String found in binary or memory: https://fMYs0MG0mK9Y4AIBA2r.org
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Purchase_Order-Documents.exe, 00000001.00000002.243729384.0000000003C8B000.00000004.00000001.sdmp, Purchase_Order-Documents.exe, 00000006.00000002.496530839.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Purchase_Order-Documents.exe, 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 6.2.Purchase_Order-Documents.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE7A81F2Du002d21DDu002d4DA7u002dA59Au002dB0367CE7B312u007d/u003503D1904u002d199Cu002d4286u002dA2C4u002d63746339E9A3.cs

Large array initialization: .cctor: array initializer size 12031

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Purchase_Order-Documents.exe
Source: initial sample	Static PE information: Filename: Purchase_Order-Documents.exe

PE file has nameless sections

Source: Purchase_Order-Documents.exe	Static PE information: section name:
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007ED21B	1_2_007ED21B
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_01240478	1_2_01240478
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_01241191	1_2_01241191
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0124C0B0	1_2_0124C0B0
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0124EA90	1_2_0124EA90
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E88CC73	1_2_0E88CC73
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E880007	1_2_0E880007
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E880040	1_2_0E880040
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E883902	1_2_0E883902
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007E38AA	1_2_007E38AA
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007EDD0A	1_2_007EDD0A

PE file contains strange resources

Source: Purchase_Order-Documents.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Purchase_Order-Documents.exe	Binary or memory string: OriginalFilename vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.247747965.000000000A2F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000000.227945843.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueCollection.exeF vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.248975157.000000000E740000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.250389729.000000000F000000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.250389729.000000000F000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.243729384.0000000003C8B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePmfeIdaSFDCkBULKXtdgtBb.exe4 vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000001.00000002.249765193.000000000EF10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000006.00000002.504526509.00000000064B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000006.00000002.496530839.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePmfeIdaSFDCkBULKXtdgtBb.exe4 vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000006.00000002.497290648.0000000001138000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe, 00000006.00000002.496848788.0000000000CD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueCollection.exeF vs Purchase_Order-Documents.exe
Source: Purchase_Order-Documents.exe	Binary or memory string: OriginalFilenameValueCollection.exeF vs Purchase_Order-Documents.exe

Uses 32bit PE files

Source: Purchase_Order-Documents.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Purchase_Order-Documents.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Purchase_Order-Documents.exe	Static PE information: Section: qYIUK ZLIB complexity 1.00046164773
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: Section: qYIUK ZLIB complexity 1.00046164773

Source: 6.2.Purchase_Order-Documents.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.Purchase_Order-Documents.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@2/1

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe

File created: C:\Users\user\AppData\Roaming\iplcwcpzEHCt.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Mutant created: \Sessions\1\BaseNamedObjects\SqETuZmjb

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: unknown	Process created: C:\Users\user\Desktop\Purchase_Order-Documents.exe 'C:\Users\user\Desktop\Purchase_Order-Documents.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iplcwcpzEHCt' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2A2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Purchase_Order-Documents.exe C:\Users\user\Desktop\Purchase_Order-Documents.exe
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iplcwcpzEHCt' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2A2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process created: C:\Users\user\Desktop\Purchase_Order-Documents.exe C:\Users\user\Desktop\Purchase_Order-Documents.exe	Jump to behavior

Source: Purchase_Order-Documents.exe	Static PE information: section name: qYIUK
Source: Purchase_Order-Documents.exe	Static PE information: section name:
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: section name: qYIUK
Source: iplcwcpzEHCt.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F42CE push cs; retf	1_2_007F431A
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F42BC push cs; retf	1_2_007F42CC
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F42A4 push cs; retf	1_2_007F42B4
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3B7E push es; retf	1_2_007F3D8C
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F477E push ss; retf	1_2_007F4788
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3D7C push es; retf	1_2_007F3D8C
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4772 push ss; retf	1_2_007F477C
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4760 push ss; retf	1_2_007F4770
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F475A push ss; retf	1_2_007F475E
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F431C push cs; retf	1_2_007F4320
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4B14 push ds; retf	1_2_007F4BCC
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3DE8 push es; retf	1_2_007F3E2E
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F47D2 push ss; retf	1_2_007F47E8
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4BCE push ds; retf	1_2_007F4BD2
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3DC4 push es; retf	1_2_007F3DE6
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4BB6 push ds; retf	1_2_007F4BCC
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F4BB0 push ds; retf	1_2_007F4BB4
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3DA6 push es; retf	1_2_007F3DC2
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F479C push ss; retf	1_2_007F47D0
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F3D8E push es; retf	1_2_007F3DA4
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_007F478A push ss; retf	1_2_007F479A
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E885645 push cs; ret	1_2_0E88564C
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Code function: 1_2_0E8870BB push edi; iretd	1_2_0E8870D6

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase_Order-Documents.exe PID: 6536, type: MEMORY

Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Window / User API: threadDelayed 3001			Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Window / User API: threadDelayed 6793			Jump to behavior

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 6540	Thread sleep time: -104470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 7088	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 7092	Thread sleep count: 3001 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 7092	Thread sleep count: 6793 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe TID: 7088	Thread sleep count: 36 > 30	Jump to behavior

Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Purchase_Order-Documents.exe, 00000001.00000002.249504544.000000000E898000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_&B
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Purchase_Order-Documents.exe, 00000006.00000003.456966772.0000000001454000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Purchase_Order-Documents.exe, 00000001.00000002.243391572.0000000003062000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Process token adjusted: Debug			Jump to behavior

Source: Purchase_Order-Documents.exe, 00000006.00000002.499106708.0000000001B10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Purchase_Order-Documents.exe, 00000006.00000002.499106708.0000000001B10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Purchase_Order-Documents.exe, 00000006.00000002.499106708.0000000001B10000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Purchase_Order-Documents.exe, 00000006.00000002.499106708.0000000001B10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Purchase_Order-Documents.exe, 00000006.00000002.499106708.0000000001B10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Users\user\Desktop\Purchase_Order-Documents.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Users\user\Desktop\Purchase_Order-Documents.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000006.00000002.496530839.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.499561789.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243729384.0000000003C8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase_Order-Documents.exe PID: 6732, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase_Order-Documents.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 1.2.Purchase_Order-Documents.exe.3f47870.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase_Order-Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase_Order-Documents.exe.3f47870.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase_Order-Documents.exe.3e493c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase_Order-Documents.exe.3ded5a0.3.raw.unpack, type: UNPACKEDPE

Analysis Report Purchase_Order-Documents.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order-Documents.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

ID:	358397
Product:	CloudBasic
Start time:	15:13:18
Start date:	25.02.2021
Sample:	Purchase_Order-Documents.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	970bce067ae6cdcf4cdf30a0a1f87186
SHA1:	75b2a8726790ca34db04a003ba3547a1eb28f3fd
SHA256:	f828f3f4109c84bc59b919c268c2d73ed8f1b327b3c3afd64184c2ddf2ae3aa5
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase_Order-Documents.exe.log	ASCII text, with CRLF line terminators	CDB0CBEDFEC7CCD7229835F37D89305C	39023F8CFF044D44485DB049CE242383BCB07035	B1D78A56636298EFB329B368C4D52F2DCCF7F948AF7E7A30D9A8916D532760FE
C:\Users\user\AppData\Local\Temp\tmpB2A2.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	D75F7083DACCE330AFAC5AD5BBC2DE74	EF53F69823E22445F5B8484548B68125E4DA078F	621321D565CA73074F1A2E14D3D2C2F212C72BEAA9F44790457281584F21681C
C:\Users\user\AppData\Roaming\30ot4ffb.ida\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	3806E8153A55C1A2DA0B09461A9C882A	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
C:\Users\user\AppData\Roaming\iplcwcpzEHCt.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	970BCE067AE6CDCF4CDF30A0A1F87186	75B2A8726790CA34DB04A003BA3547A1EB28F3FD	F828F3F4109C84BC59B919C268C2D73ED8F1B327B3C3AFD64184C2DDF2AE3AA5
C:\Users\user\AppData\Roaming\iplcwcpzEHCt.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309