Loading ...

Play interactive tourEdit tour

Analysis Report PO4802.exe

Overview

General Information

Sample Name:PO4802.exe
Analysis ID:404250
MD5:a14391876bbe1525b9674c37ae9bbc1c
SHA1:d10ac418ba57d95314e4f33b26dcede43bc78233
SHA256:682975915925d77c388cad6bf2868c2eeb94e0b647387f6a9dc2768ff4242920
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO4802.exe (PID: 5932 cmdline: 'C:\Users\user\Desktop\PO4802.exe' MD5: A14391876BBE1525B9674C37AE9BBC1C)
    • schtasks.exe (PID: 6116 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp8AC2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO4802.exe (PID: 6028 cmdline: {path} MD5: A14391876BBE1525B9674C37AE9BBC1C)
  • pBIYNM.exe (PID: 3176 cmdline: 'C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe' MD5: A14391876BBE1525B9674C37AE9BBC1C)
    • schtasks.exe (PID: 1736 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp4180.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pBIYNM.exe (PID: 5936 cmdline: {path} MD5: A14391876BBE1525B9674C37AE9BBC1C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "nyewoodturnings2@earthlink.netAgbalaya12@smtpauth.earthlink.netchukkysample772@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000018.00000002.486177435.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.493376392.0000000002CA1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000014.00000002.349891837.0000000003CE9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO4802.exe.3b5efa8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              24.2.pBIYNM.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                20.2.pBIYNM.exe.3d8efa8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PO4802.exe.3b951c8.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    6.2.PO4802.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.PO4802.exe.3b5efa8.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "nyewoodturnings2@earthlink.netAgbalaya12@smtpauth.earthlink.netchukkysample772@yandex.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\AppData\Roaming\rmwSPnNZtb.exeReversingLabs: Detection: 17%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO4802.exeVirustotal: Detection: 16%Perma Link
                      Source: PO4802.exeReversingLabs: Detection: 17%
                      Source: 24.2.pBIYNM.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.2.PO4802.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PO4802.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO4802.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 207.69.189.203:587
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 207.69.189.203:587
                      Source: unknownDNS traffic detected: queries for: smtpauth.earthlink.net
                      Source: PO4802.exe, 00000006.00000002.493376392.0000000002CA1000.00000004.00000001.sdmp, pBIYNM.exe, 00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: pBIYNM.exe, 00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: pBIYNM.exe, 00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://RlcReC.com
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: PO4802.exe, 00000006.00000002.502149528.000000000658D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl0
                      Source: PO4802.exe, 00000006.00000002.502078730.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoR
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt0#
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: PO4802.exe, 00000000.00000002.245319468.0000000002811000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.346715986.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: http://smtpauth.earthlink.net
                      Source: PO4802.exe, 00000000.00000003.221410555.00000000057FF000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmp, PO4802.exe, 00000000.00000003.222264284.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com//w
                      Source: PO4802.exe, 00000000.00000003.222264284.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com2
                      Source: PO4802.exe, 00000000.00000003.222264284.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: PO4802.exe, 00000000.00000003.222264284.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
                      Source: PO4802.exe, 00000000.00000003.221574156.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comali
                      Source: PO4802.exe, 00000000.00000003.222264284.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comb
                      Source: PO4802.exe, 00000000.00000003.222169358.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdd
                      Source: PO4802.exe, 00000000.00000003.221551890.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comegu
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO4802.exe, 00000000.00000003.221551890.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: PO4802.exe, 00000000.00000003.221551890.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.D
                      Source: PO4802.exe, 00000000.00000003.221551890.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comslnt
                      Source: PO4802.exe, 00000000.00000003.221972351.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comwdthO
                      Source: PO4802.exe, 00000000.00000002.254330826.00000000057D0000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO4802.exe, 00000000.00000003.224802030.0000000005800000.00000004.00000001.sdmp, PO4802.exe, 00000000.00000003.224895231.00000000057E1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO4802.exe, 00000000.00000003.224868559.0000000005800000.00000004.00000001.sdmp, PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO4802.exe, 00000000.00000003.226070988.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO4802.exe, 00000000.00000003.225541270.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersN
                      Source: PO4802.exe, 00000000.00000003.226176990.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                      Source: PO4802.exe, 00000000.00000003.224842524.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                      Source: PO4802.exe, 00000000.00000003.229636028.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                      Source: PO4802.exe, 00000000.00000003.224868559.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersl
                      Source: PO4802.exe, 00000000.00000002.254330826.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO4802.exe, 00000000.00000003.221022876.00000000057FE000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO4802.exe, 00000000.00000003.221022876.00000000057FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
                      Source: PO4802.exe, 00000000.00000003.221022876.00000000057FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
                      Source: PO4802.exe, 00000000.00000003.221022876.00000000057FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmp, PO4802.exe, 00000000.00000003.223213648.00000000057D8000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Hebr
                      Source: PO4802.exe, 00000000.00000003.223213648.00000000057D8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: PO4802.exe, 00000000.00000003.223213648.00000000057D8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
                      Source: PO4802.exe, 00000000.00000003.223514839.00000000057DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ru-r
                      Source: PO4802.exe, 00000000.00000003.223080684.00000000057DA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                      Source: PO4802.exe, 00000000.00000003.222215878.0000000005800000.00000004.00000001.sdmpString found in binary or memory: http://www.micro.
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO4802.exe, 00000000.00000003.224895231.00000000057E1000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: PO4802.exe, 00000000.00000002.254465141.00000000058C0000.00000002.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO4802.exe, 00000000.00000003.221505014.0000000005800000.00000004.00000001.sdmp, pBIYNM.exe, 00000014.00000002.353357646.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO4802.exe, 00000006.00000002.497023029.0000000002F6F000.00000004.00000001.sdmpString found in binary or memory: https://TQbr7dE77vG36udz.net
                      Source: PO4802.exe, 00000006.00000002.496901953.0000000002F4B000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: PO4802.exe, 00000000.00000002.249292127.0000000003AB9000.00000004.00000001.sdmp, PO4802.exe, 00000006.00000002.486387354.0000000000402000.00000040.00000001.sdmp, pBIYNM.exe, 00000014.00000002.349891837.0000000003CE9000.00000004.00000001.sdmp, pBIYNM.exe, 00000018.00000002.486177435.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO4802.exe, 00000006.00000002.493376392.0000000002CA1000.00000004.00000001.sdmp, pBIYNM.exe, 00000018.00000002.493468906.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_06083D80 SetWindowsHookExW 0000000D,00000000,?,?6_2_06083D80
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\PO4802.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO4802.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_027EC43C0_2_027EC43C
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_027EE4D00_2_027EE4D0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_027EE4CC0_2_027EE4CC
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF26F80_2_06EF26F8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF7EC80_2_06EF7EC8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5EB00_2_06EF5EB0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF36100_2_06EF3610
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF1CF80_2_06EF1CF8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFABF80_2_06EFABF8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF83700_2_06EF8370
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC3300_2_06EFC330
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF10F00_2_06EF10F0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF00400_2_06EF0040
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFB0080_2_06EFB008
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF6EED0_2_06EF6EED
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF26E90_2_06EF26E9
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5EA00_2_06EF5EA0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF7EB80_2_06EF7EB8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFAFF70_2_06EFAFF7
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF57C30_2_06EF57C3
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFB7C00_2_06EFB7C0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF57D00_2_06EF57D0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF6F180_2_06EF6F18
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF1CE80_2_06EF1CE8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF34E20_2_06EF34E2
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5CAB0_2_06EF5CAB
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5CB80_2_06EF5CB8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF54030_2_06EF5403
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF54100_2_06EF5410
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC5A00_2_06EFC5A0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC5B00_2_06EFC5B0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF35760_2_06EF3576
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF45400_2_06EF4540
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF75550_2_06EF7555
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF353D0_2_06EF353D
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF45390_2_06EF4539
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF050B0_2_06EF050B
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF05180_2_06EF0518
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF9AA00_2_06EF9AA0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF9AB00_2_06EF9AB0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5A280_2_06EF5A28
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF5A1B0_2_06EF5A1B
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFABE80_2_06EFABE8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC3200_2_06EFC320
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF10C30_2_06EF10C3
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF88A00_2_06EF88A0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF88B00_2_06EF88B0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC0280_2_06EFC028
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF00060_2_06EF0006
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFC0180_2_06EFC018
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DDC8706_2_00DDC870
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DDDDA86_2_00DDDDA8
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DD852C6_2_00DD852C
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DDAF406_2_00DDAF40
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DD68686_2_00DD6868
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DD11886_2_00DD1188
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DD5A186_2_00DD5A18
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF44206_2_00DF4420
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DFA5F96_2_00DFA5F9
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF75086_2_00DF7508
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DFF1386_2_00DFF138
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF82706_2_00DF8270
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF54106_2_00DF5410
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_02AA47506_2_02AA4750
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_02AA3EAA6_2_02AA3EAA
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_02AAD8A16_2_02AAD8A1
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_06081E086_2_06081E08
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 20_2_028CE4CF20_2_028CE4CF
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 20_2_028CE4D020_2_028CE4D0
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 20_2_028CC43C20_2_028CC43C
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 20_2_04F2604820_2_04F26048
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_015E477224_2_015E4772
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_015E480624_2_015E4806
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_015ED8A124_2_015ED8A1
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_0624753024_2_06247530
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_0624691824_2_06246918
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_062494F024_2_062494F0
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_06246C6024_2_06246C60
                      Source: PO4802.exe, 00000000.00000000.217133417.0000000000562000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7o8fMd3dPrzmM8G.exeR vs PO4802.exe
                      Source: PO4802.exe, 00000000.00000002.248996249.0000000003819000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO4802.exe
                      Source: PO4802.exe, 00000000.00000002.245319468.0000000002811000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs PO4802.exe
                      Source: PO4802.exe, 00000000.00000002.245319468.0000000002811000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUUOMCAfNVQuzUcdeYzXfMaAjCzK.exe4 vs PO4802.exe
                      Source: PO4802.exe, 00000000.00000002.258786308.000000000E5A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO4802.exe
                      Source: PO4802.exe, 00000006.00000003.333607757.0000000006503000.00000004.00000001.sdmpBinary or memory string: OriginalFilename7o8fMd3dPrzmM8G.exeR vs PO4802.exe
                      Source: PO4802.exe, 00000006.00000002.491590609.0000000001050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO4802.exe
                      Source: PO4802.exe, 00000006.00000002.488128759.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PO4802.exe
                      Source: PO4802.exe, 00000006.00000002.486387354.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUUOMCAfNVQuzUcdeYzXfMaAjCzK.exe4 vs PO4802.exe
                      Source: PO4802.exe, 00000006.00000002.487959179.0000000000D38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO4802.exe
                      Source: PO4802.exeBinary or memory string: OriginalFilename7o8fMd3dPrzmM8G.exeR vs PO4802.exe
                      Source: PO4802.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@12/7@1/2
                      Source: C:\Users\user\Desktop\PO4802.exeFile created: C:\Users\user\AppData\Roaming\rmwSPnNZtb.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeMutant created: \Sessions\1\BaseNamedObjects\ySymqvYQkaKuhQDdcTVEz
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_01
                      Source: C:\Users\user\Desktop\PO4802.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8AC2.tmpJump to behavior
                      Source: PO4802.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO4802.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO4802.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO4802.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: pBIYNM.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: pBIYNM.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                      Source: PO4802.exe, 00000000.00000002.244221559.0000000000462000.00000002.00020000.sdmp, PO4802.exe, 00000006.00000000.243393577.0000000000882000.00000002.00020000.sdmp, pBIYNM.exe, 00000014.00000002.345234485.0000000000452000.00000002.00020000.sdmp, pBIYNM.exe, 00000018.00000002.487304334.0000000000AB2000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                      Source: PO4802.exeVirustotal: Detection: 16%
                      Source: PO4802.exeReversingLabs: Detection: 17%
                      Source: PO4802.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                      Source: C:\Users\user\Desktop\PO4802.exeFile read: C:\Users\user\Desktop\PO4802.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PO4802.exe 'C:\Users\user\Desktop\PO4802.exe'
                      Source: C:\Users\user\Desktop\PO4802.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp8AC2.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PO4802.exeProcess created: C:\Users\user\Desktop\PO4802.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe 'C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe'
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp4180.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeProcess created: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe {path}
                      Source: C:\Users\user\Desktop\PO4802.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp8AC2.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess created: C:\Users\user\Desktop\PO4802.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp4180.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeProcess created: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeAutomated click: OK
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PO4802.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO4802.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO4802.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PO4802.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: PO4802.exeStatic PE information: 0x84B5798D [Sat Jul 21 12:14:05 2040 UTC]
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF34E2 push es; retf 0_2_06EF353C
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF754E push es; ret 0_2_06EF7554
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF351A push es; retf 0_2_06EF353C
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EF6236 push es; iretd 0_2_06EF6237
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFA0C9 push es; retf 0_2_06EFA0D0
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06EFA979 push edi; retf 0_2_06EFA980
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 0_2_06F51695 push FFFFFF8Bh; iretd 0_2_06F51697
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DD8140 pushad ; ret 6_2_00DD8141
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF92F8 push FFFFFF85h; retf 8B01h6_2_00DF95AC
                      Source: C:\Users\user\Desktop\PO4802.exeCode function: 6_2_00DF8F54 push ds; retf 6_2_00DF8F73
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 20_2_04F2BEFA push E802005Eh; retf 20_2_04F2BF01
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_06248530 push es; ret 24_2_06248540
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_0624850A push es; ret 24_2_06248540
                      Source: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeCode function: 24_2_06850610 push es; ret 24_2_06850620
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.16984406642
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.16984406642
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.16984406642
                      Source: C:\Users\user\Desktop\PO4802.exeFile created: C:\Users\user\AppData\Roaming\rmwSPnNZtb.exeJump to dropped file
                      Source: C:\Users\user\Desktop\PO4802.exeFile created: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\PO4802.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rmwSPnNZtb' /XML 'C:\Users\user\AppData\Local\Temp\tmp8AC2.tmp'
                      Source: C:\Users\user\Desktop\PO4802.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pBIYNMJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pBIYNMJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\PO4802.exeFile opened: C:\Users\user\AppData\Roaming\pBIYNM\pBIYNM.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4802.exeProcess informati