Analysis Report PO5421-allignright.doc

Overview

General Information

Sample Name:	PO5421-allignright.doc
Analysis ID:	404224
MD5:	901e61918c3c108ebe8d6eabd18d0cc4
SHA1:	bbc834bb8d6a92e7070276884ccde86c0e2f6f38
SHA256:	8e7e22725654ca02a0c9d079fa96ac9b53f131cf029076b90934b50a23a36ccb
Tags:	AgentTesladoc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected AgentTesla

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Drops PE files to the startup folder

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Non Interactive PowerShell

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.39dac88.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1656309456", "Chat URL": "https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/sendDocument"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: PO5421-allignright.doc

ReversingLabs: Detection: 19%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49177 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2126177757.00000000062CD000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: ??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.260.7193798tion.pdby.resources.exes.exeI.ni.dll source: powershell.exe, 00000007.00000002.2109706042.00000000006AB000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbV source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0FB-4BFC-874A-C0F2E0B9FA8E}\WinDirStat\windirstat.exed source: powershell.exe, 00000016.00000002.2154655954.00000000007B3000.00000004.00000020.sdmp
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdbB source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2112205966.0000000002A50000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\	Jump to behavior

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: CTF loader_es.exe, 00000004.00000003.2115015992.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/
Source: CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\CTF loader_es.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7B2EE NtQuerySystemInformation,	5_2_01B7B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7B2CC NtQuerySystemInformation,	5_2_01B7B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DB2EE NtQuerySystemInformation,	7_2_007DB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DB2CC NtQuerySystemInformation,	7_2_007DB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061B2EE NtQuerySystemInformation,	9_2_0061B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061B2CC NtQuerySystemInformation,	9_2_0061B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DB2EE NtQuerySystemInformation,	11_2_025DB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DB2CC NtQuerySystemInformation,	11_2_025DB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0B2EE NtQuerySystemInformation,	14_2_01E0B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0B2CC NtQuerySystemInformation,	14_2_01E0B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253B2EE NtQuerySystemInformation,	15_2_0253B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253B2CC NtQuerySystemInformation,	15_2_0253B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FB2EE NtQuerySystemInformation,	18_2_003FB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FB2CC NtQuerySystemInformation,	18_2_003FB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FB2EE NtQuerySystemInformation,	22_2_006FB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FB2CC NtQuerySystemInformation,	22_2_006FB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0B2EE NtQuerySystemInformation,	24_2_01D0B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0B2CC NtQuerySystemInformation,	24_2_01D0B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFB2EE NtQuerySystemInformation,	26_2_01DFB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFB2CC NtQuerySystemInformation,	26_2_01DFB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8B2EE NtQuerySystemInformation,	28_2_01D8B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8B2CC NtQuerySystemInformation,	28_2_01D8B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052B2EE NtQuerySystemInformation,	30_2_0052B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052B2CC NtQuerySystemInformation,	30_2_0052B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CB2EE NtQuerySystemInformation,	33_2_003CB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CB2CC NtQuerySystemInformation,	33_2_003CB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0B2EE NtQuerySystemInformation,	35_2_01D0B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0B2CC NtQuerySystemInformation,	35_2_01D0B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4B2EE NtQuerySystemInformation,	37_2_01F4B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4B2CC NtQuerySystemInformation,	37_2_01F4B2CC

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00B52050	4_2_00B52050
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00280C80	4_2_00280C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00280490	4_2_00280490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00822050	13_2_00822050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00220C80	13_2_00220C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00220490	13_2_00220490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AD33FA	18_2_02AD33FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 20_2_001E0490	20_2_001E0490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 20_2_001E0C80	20_2_001E0C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_00B52050	21_2_00B52050
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E53C8	21_2_002E53C8
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E5FE0	21_2_002E5FE0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E5710	21_2_002E5710
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003B0748	21_2_003B0748
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003B59C0	21_2_003B59C0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DCCB9	21_2_003DCCB9
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D2E90	21_2_003D2E90
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D5170	21_2_003D5170
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D6B58	21_2_003D6B58
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D97C0	21_2_003D97C0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D8428	21_2_003D8428
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D5810	21_2_003D5810
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DD878	21_2_003DD878
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D22A8	21_2_003D22A8
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DD698	21_2_003DD698
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D9CE3	21_2_003D9CE3
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Code function: 29_2_00F62050	29_2_00F62050
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Code function: 29_2_00210490	29_2_00210490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 39_2_00822050	39_2_00822050

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\CTF loader_es.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7ACEE AdjustTokenPrivileges,	5_2_01B7ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7ACB7 AdjustTokenPrivileges,	5_2_01B7ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DACEE AdjustTokenPrivileges,	7_2_007DACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DACB7 AdjustTokenPrivileges,	7_2_007DACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061ACEE AdjustTokenPrivileges,	9_2_0061ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061ACB7 AdjustTokenPrivileges,	9_2_0061ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DACEE AdjustTokenPrivileges,	11_2_025DACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DACB7 AdjustTokenPrivileges,	11_2_025DACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0ACEE AdjustTokenPrivileges,	14_2_01E0ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0ACB7 AdjustTokenPrivileges,	14_2_01E0ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253ACEE AdjustTokenPrivileges,	15_2_0253ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253ACB7 AdjustTokenPrivileges,	15_2_0253ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FACEE AdjustTokenPrivileges,	18_2_003FACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FACB7 AdjustTokenPrivileges,	18_2_003FACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FACEE AdjustTokenPrivileges,	22_2_006FACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FACB7 AdjustTokenPrivileges,	22_2_006FACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0ACEE AdjustTokenPrivileges,	24_2_01D0ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0ACB7 AdjustTokenPrivileges,	24_2_01D0ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFACEE AdjustTokenPrivileges,	26_2_01DFACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFACB7 AdjustTokenPrivileges,	26_2_01DFACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8ACEE AdjustTokenPrivileges,	28_2_01D8ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8ACB7 AdjustTokenPrivileges,	28_2_01D8ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052ACEE AdjustTokenPrivileges,	30_2_0052ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052ACB7 AdjustTokenPrivileges,	30_2_0052ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CACEE AdjustTokenPrivileges,	33_2_003CACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CACB7 AdjustTokenPrivileges,	33_2_003CACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0ACEE AdjustTokenPrivileges,	35_2_01D0ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0ACB7 AdjustTokenPrivileges,	35_2_01D0ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4ACEE AdjustTokenPrivileges,	37_2_01F4ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4ACB7 AdjustTokenPrivileges,	37_2_01F4ACB7

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02B20591 pushad ; ret		5_2_02B205B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02B20681 pushad ; ret		5_2_02B206F4

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6			Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: OutputDebugStringW count: 112
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: OutputDebugStringW count: 212

Analysis Report PO5421-allignright.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Window / User API: threadDelayed 2342
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Window / User API: threadDelayed 7399

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2368	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2680	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2868	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2500	Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2984	Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2352	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2352	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3196	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed

Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000007.00000003.2099707866.00000000006A7000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory written: C:\Users\user\AppData\Roaming\CTF loader_es.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory written: unknown base: 400000 value starts with: 4D5A			Jump to behavior

Source: Yara match	File source: 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2191309843.00000000039DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2354759653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTF loader_es.exe PID: 2708, type: MEMORY

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies