Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order PO5351.exe

Overview

General Information

Sample Name:Purchase Order PO5351.exe
Analysis ID:502625
MD5:583ae888adbd5a79d055fbd414cc403b
SHA1:02fe0acb2796c2be544cee6cde690071e3cbfced
SHA256:e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Detected potential unwanted application
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Purchase Order PO5351.exe (PID: 492 cmdline: 'C:\Users\user\Desktop\Purchase Order PO5351.exe' MD5: 583AE888ADBD5A79D055FBD414CC403B)
    • Purchase Order PO5351.exe (PID: 5504 cmdline: 'C:\Users\user\Desktop\Purchase Order PO5351.exe' MD5: 583AE888ADBD5A79D055FBD414CC403B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "newwork1@appalliser.com", "Password": "!%RvA^hkLSn&", "Host": "mail.appalliser.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Purchase Order PO5351.exe.415058.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.Purchase Order PO5351.exe.415058.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.Purchase Order PO5351.exe.3345530.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.Purchase Order PO5351.exe.3345530.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.2.Purchase Order PO5351.exe.3345530.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "newwork1@appalliser.com", "Password": "!%RvA^hkLSn&", "Host": "mail.appalliser.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order PO5351.exeReversingLabs: Detection: 26%
                      Machine Learning detection for sampleShow sources
                      Source: Purchase Order PO5351.exeJoe Sandbox ML: detected
                      Source: 2.1.Purchase Order PO5351.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Purchase Order PO5351.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
                      Source: Purchase Order PO5351.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402671 FindFirstFileA,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00404A29 FindFirstFileExW,
                      Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                      Source: global trafficTCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
                      Source: global trafficTCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://JydZpq.com
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpString found in binary or memory: http://appalliser.com
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://crl.veris
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553525383.00000000059A6000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1fdd1722a2534
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpString found in binary or memory: http://mail.appalliser.com
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0N
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.2.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000003.508552580.00000000059BA000.00000004.00000001.sdmpString found in binary or memory: https://dii.lencr.org/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Purchase Order PO5351.exe, 00000002.00000003.491025576.0000000000644000.00000004.00000001.sdmpString found in binary or memory: https://m5KdogWJECP9WFOWfNf.org
                      Source: Purchase Order PO5351.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: Purchase Order PO5351.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.appalliser.com
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order PO5351.exe
                      Detected potential unwanted applicationShow sources
                      Source: Purchase Order PO5351.exePE Siganture Subject Chain: CN=Tencent Technology(Shenzhen) Company Limited, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong, C=CN
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007bD4B941FAu002d2DBAu002d4076u002dBF2Bu002d68A2FCF4E49Bu007d/BDC4F16Au002d1B55u002d4A62u002d9374u002d3C2BBA0A451E.csLarge array initialization: .cctor: array initializer size 11961
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Purchase Order PO5351.exeStatic file information: Suspicious name
                      Source: Purchase Order PO5351.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004047D3
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004061D4
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F369FA
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36A09
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040A2A5
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075EC80
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00756180
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075E288
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075D8A0
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B2D30
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B4A4C
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B7E70
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B0040
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008BD780
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008CC960
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008C7250
                      Source: Purchase Order PO5351.exe, 00000000.00000003.283553488.000000000F21F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exeBinary or memory string: OriginalFilename vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000002.00000002.548280613.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exeStatic PE information: invalid certificate
                      Source: Purchase Order PO5351.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Users\user\Desktop\Purchase Order PO5351.exeJump to behavior
                      Source: Purchase Order PO5351.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\Local\Temp\nsk73A8.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@3/1
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F31080 push eax; ret
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401F16 push ecx; ret
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075B59F push edi; retn 0000h
                      Source: Purchase Order PO5351.exeStatic PE information: real checksum: 0x0 should be: 0x64210
                      Source: gqdtoh.dll.0.drStatic PE information: real checksum: 0xe45e should be: 0x1158f
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\Local\Temp\nsk73A9.tmp\gqdtoh.dllJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 5296Thread sleep time: -22136092888451448s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716Thread sleep count: 1209 > 30
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716Thread sleep count: 8626 > 30
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWindow / User API: threadDelayed 1209
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWindow / User API: threadDelayed 8626
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402671 FindFirstFileA,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeThread delayed: delay time: 922337203685477
                      Source: Purchase Order PO5351.exe, 00000002.00000003.511012133.00000000059BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_004067FE GetProcessHeap,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36402 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F366C7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36744 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36616 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36706 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00750A66 KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeMemory written: C:\Users\user\Desktop\Purchase Order PO5351.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040208D cpuid
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.3345530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.3345530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4e81b0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23b1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23b1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4e81b0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order PO5351.exe PID: 492, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.3345530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.3345530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4e81b0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23b1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23b1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.4e81b0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order PO5351.exe.23a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order PO5351.exe PID: 492, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery127SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncVirtualization/Sandbox Evasion131Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order PO5351.exe27%ReversingLabsWin32.Trojan.AgentTesla
                      Purchase Order PO5351.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.0.Purchase Order PO5351.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      2.1.Purchase Order PO5351.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.2.Purchase Order PO5351.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.2.Purchase Order PO5351.exe.4810000.5.unpack100%AviraTR/Spy.Gen8Download File
                      0.0.Purchase Order PO5351.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      0.2.Purchase Order PO5351.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://x1.i.lencr.org/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://m5KdogWJECP9WFOWfNf.org0%Avira URL Cloudsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://crl.veris0%Avira URL Cloudsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://JydZpq.com0%Avira URL Cloudsafe
                      https://dii.lencr.org/0%Avira URL Cloudsafe
                      http://mail.appalliser.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://appalliser.com0%Avira URL Cloudsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      appalliser.com
                      185.237.206.6
                      truetrue
                        unknown
                        x1.i.lencr.org
                        unknown
                        unknownfalse
                          unknown
                          mail.appalliser.com
                          unknown
                          unknowntrue
                            unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://127.0.0.1:HTTP/1.1Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://x1.i.lencr.org/Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.2.drfalse
                            • URL Reputation: safe
                            unknown
                            http://DynDns.comDynDNSPurchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://nsis.sf.net/NSIS_ErrorPurchase Order PO5351.exefalse
                              high
                              https://m5KdogWJECP9WFOWfNf.orgPurchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Purchase Order PO5351.exe, 00000002.00000003.491025576.0000000000644000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://cps.letsencrypt.org0Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://crl.verisPurchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://x1.c.lencr.org/0Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://x1.i.lencr.org/0Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://r3.o.lencr.org0Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://JydZpq.comPurchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://nsis.sf.net/NSIS_ErrorErrorPurchase Order PO5351.exefalse
                                high
                                https://dii.lencr.org/Purchase Order PO5351.exe, 00000002.00000003.508552580.00000000059BA000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://mail.appalliser.comPurchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order PO5351.exefalse
                                • URL Reputation: safe
                                unknown
                                http://appalliser.comPurchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://r3.i.lencr.org/0Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                185.237.206.6
                                appalliser.comUkraine
                                21100ITLDC-NLUAtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:502625
                                Start date:14.10.2021
                                Start time:07:26:11
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 6m 55s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Purchase Order PO5351.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:23
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/5@3/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 14.1% (good quality ratio 13.2%)
                                • Quality average: 79.6%
                                • Quality standard deviation: 29.5%
                                HCA Information:
                                • Successful, ratio: 82%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 95.100.218.79, 20.50.102.62, 93.184.221.240, 20.199.120.151, 20.82.209.183, 2.20.178.24, 2.20.178.33, 20.199.120.182, 20.199.120.85, 20.54.110.249, 40.112.88.60, 52.251.79.25, 2.21.100.12, 8.247.248.223, 8.247.248.249, 8.247.244.221
                                • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, e8652.dscx.akamaiedge.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, crl.root-x1.letsencrypt.org.edgekey.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502625/sample/Purchase Order PO5351.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:27:17API Interceptor817x Sleep call for process: Purchase Order PO5351.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                185.237.206.6Purchase Order.exeGet hashmaliciousBrowse
                                  cBPH5n4T38.exeGet hashmaliciousBrowse
                                    L6F6m2L2Ll.exeGet hashmaliciousBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      ITLDC-NLUAPurchase Order.exeGet hashmaliciousBrowse
                                      • 185.237.206.6
                                      cBPH5n4T38.exeGet hashmaliciousBrowse
                                      • 185.237.206.6
                                      yj1ZBFihuK.exeGet hashmaliciousBrowse
                                      • 185.51.246.132
                                      L6F6m2L2Ll.exeGet hashmaliciousBrowse
                                      • 185.237.206.6
                                      lfNKmms6qs.exeGet hashmaliciousBrowse
                                      • 195.123.220.96
                                      RSDka7Gji5Get hashmaliciousBrowse
                                      • 5.34.180.211
                                      k3dBuYbiCSGet hashmaliciousBrowse
                                      • 5.34.180.235
                                      88ADABCBDAF29FCCC7DA2F88D9FF0363E3315583A421D.exeGet hashmaliciousBrowse
                                      • 91.235.129.177
                                      visual-studio.exeGet hashmaliciousBrowse
                                      • 185.14.28.246
                                      install.apkGet hashmaliciousBrowse
                                      • 217.12.201.177
                                      Downloader39.apkGet hashmaliciousBrowse
                                      • 217.12.201.177
                                      Download.apkGet hashmaliciousBrowse
                                      • 217.12.201.177
                                      eAjAn18mbk.exeGet hashmaliciousBrowse
                                      • 91.235.129.250
                                      6x2arY3565.exeGet hashmaliciousBrowse
                                      • 91.235.129.250
                                      173f5bc0bdb61d4dfcb99400b4620b6cb9ad0838836e2.exeGet hashmaliciousBrowse
                                      • 91.235.129.250
                                      d9EUyMpJpx.exeGet hashmaliciousBrowse
                                      • 91.235.129.250
                                      jrmUDTByys.exeGet hashmaliciousBrowse
                                      • 91.235.129.250
                                      sCBiepj0Jg.exeGet hashmaliciousBrowse
                                      • 91.235.129.112
                                      fXQSFpOUX2.exeGet hashmaliciousBrowse
                                      • 195.54.162.52
                                      8ppXPyEzVO.exeGet hashmaliciousBrowse
                                      • 195.54.162.52

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
                                      Process:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1391
                                      Entropy (8bit):7.705940075877404
                                      Encrypted:false
                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: 0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
                                      Process:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):192
                                      Entropy (8bit):2.7594548283587708
                                      Encrypted:false
                                      SSDEEP:3:kkFklgbEvfllXlE/zMc/lljNNX8RolJuRdyo1dlUKlGXJlDdt:kK5ok1/l3NMa8Rdy+UKcXP
                                      MD5:5F3C33F91C2F962BF5FA0D280584412E
                                      SHA1:0BD2C8EB615D8EEC101ED6D8517D29EC53802537
                                      SHA-256:12B1E1A221F5D6877700117BCA8E62521A01C45FBE84523D1F39416953C789BF
                                      SHA-512:D7D2E13AD367FC97D47214A4C304A360840BC7886F37AF4592A18F471D47316B6486E50810F49E051B56366B3FB3B0DE3E8C65DE337C1E73E89DC69608714FB0
                                      Malicious:false
                                      Reputation:low
                                      Preview: p...... ............"...(....................................................... ..........~...{...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...
                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                      Process:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):326
                                      Entropy (8bit):3.40614825999367
                                      Encrypted:false
                                      SSDEEP:6:kKx8EMl/s8gFN+SkQlPlEGYRMY9z+4KlDA3RUeOlEfcTt:5W/Y2kPlE99SNxAhUefit
                                      MD5:1BBD1E1AA8D8C39ACDA50880D6710C45
                                      SHA1:C60321BDB330D8818735A893375F22BC438A94D8
                                      SHA-256:EE58BDDD88137D1F719E2A6C888202FBF2EABC57217C6625FB139F7293530AB4
                                      SHA-512:45620FCB54597857963015FBB3D0FDD46AC4E59D18E815FC98CF94D2E6711309FD06883AFD225E5707676945A8A32B27C3398F5ABD4467F03274F35E0DDCAA32
                                      Malicious:false
                                      Reputation:low
                                      Preview: p...... .........m.G#...(...............................................5....... ...........^.......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.a.a.8.a.1.5.e.a.6.d.7.1.:.0."...
                                      C:\Users\user\AppData\Local\Temp\7qxl8ve37ylrx
                                      Process:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):292863
                                      Entropy (8bit):7.961452658152969
                                      Encrypted:false
                                      SSDEEP:6144:LGSgzB/hb/7+23m406iCGMFEDu7JumazHCjbfO:LGdVVD+23HK/OED8cujjO
                                      MD5:8A370FB10ECBA8A64914D4E12B0772AF
                                      SHA1:C313F3E635FFA7A4A64CD4E15C0A9330D7353528
                                      SHA-256:AE42F2FDFC9DA6EAA2D92F2581122CA1525552E8A219BE8434D8C01838A1E368
                                      SHA-512:0BF128F3880B90AA60799E948CD5E6A325EA9C96464754905A9220A46A1CC16CBA1CA9A22FFD8ABB34CB529B7996D5C93EE846A0AED48545E61F88D7190EDACF
                                      Malicious:false
                                      Reputation:low
                                      Preview: .[+....n.s6.Ot.........Bl..V.$I..3_.{..(S..=9.....#......j..Y.1...~.]Q.../....{.....8...7.G.2..3<.:....DA......c3...G.d(.}...........9...5`.,.x^\.........E..0p.....z..M...X.^u@\...$....,A8..{..< =.......j.a...T.e.jx.....J}...ju..P...l5.......nv.6.....c'.}...B...V.$..&.J...(...=9..q.....#............q..m..Z].P7..$..\..H...3....PO.rA.I..._~..7.s...x...Ec3...G.=....{..p._f......gw....@...}3 ......4y....O...!.#.i.A'|..>"*.^V..@...E).#.\.Pj<)S.?>.g]..l#..^.8]N`I.(....3.......[.P...l5..2....n~.6.....s....1.B...V.$I..3_.{..9.].C......h#..W...Q...R.q.Ym..Z...7....m.H.pj....PO..r1.....~..7.s.t.....2OZ/.G.'....q..zG.f.H1..a.w.im.@...k}3..+....4yt.I.O.r...x.@.I'|..>"*.^V..@..&E).#.\....)y.?>.g]..l#..x.8.L`I.(....3.......[.P...l5.......n.s6.....s......B...V.$I..3_.{..(S..=9.....#.........R.q.Ym..Z..P7.....\..H......I.PO.r1.I....~..7.s.t.x...Ec3...G.=....{..zX.f.....a.w.im.@...}3 ......4y....O....P..@.A'|..>"*.^V..@...E).#.\....)y.?>.g]..l#..x.8.L`I
                                      C:\Users\user\AppData\Local\Temp\nsk73A9.tmp\gqdtoh.dll
                                      Process:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):24576
                                      Entropy (8bit):6.32837076682099
                                      Encrypted:false
                                      SSDEEP:384:RDreFw05DTFqdzQs+L5awDnZFf6KX2Y+jA4M99OvC5M8vslmSzM2g:SwgFqxw5agnT2t4WvCbvGmSzM
                                      MD5:5A58F937DF449DE296B78BFF64CDD730
                                      SHA1:A62509AA4D31DDB12A3DC881FB029D575B77484D
                                      SHA-256:59080307E0CFB01FE407D6F08347F540F3F0B42764B46C65C6571FF186ACE7C7
                                      SHA-512:BDCAFA07ACE4802845FD06BF203A4C393F211635E3A8F2B7FD2AF3DF0667318F90B7DB2563CA2838A510D72253D3B8F797D7491BA9FA1AD632D3DC274FA81D07
                                      Malicious:false
                                      Reputation:low
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O............D1...../2.....E.............[......[......[......[.....Rich............................PE..L....yga...........!.....2...*...............P......................................^.....@..........................U..H....W.......................................U...............................................P..8............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...0....`.......D..............@....rsrc................\..............@..B.reloc...............^..............@..B........................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.653315782399445
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Purchase Order PO5351.exe
                                      File size:364231
                                      MD5:583ae888adbd5a79d055fbd414cc403b
                                      SHA1:02fe0acb2796c2be544cee6cde690071e3cbfced
                                      SHA256:e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
                                      SHA512:6d584518b741a225f887d8bacc621ae0461b3ada7781fdba51a2cdcd717c3869bafc9d06da88c22b3530341032676057c5747afb3be9187844bb3f2293f37060
                                      SSDEEP:6144:uBlL/HheqzZxjy75LlbajiuZL75W4MTHkoPq7Cp2pskLhukZAd7isYL4jtaA2oQq:suKrj4LlbajiuZ/c4M7XusgACAd7ivz2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                      File Icon

                                      Icon Hash:0d19392929312d35

                                      Static PE Info

                                      General

                                      Entrypoint:0x4030fb
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:b76363e9cb88bf9390860da8e50999d2

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                      Signature Validation Error:The digital signature of the object did not verify
                                      Error Number:-2146869232
                                      Not Before, Not After
                                      • 1/13/2020 4:00:00 PM 1/20/2021 4:00:00 AM
                                      Subject Chain
                                      • CN=Tencent Technology(Shenzhen) Company Limited, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong, C=CN
                                      Version:3
                                      Thumbprint MD5:0B0EC13829CB3DF95419600B93128938
                                      Thumbprint SHA-1:F293EED3FF3D548262CDDC43DCE58CFC7F763622
                                      Thumbprint SHA-256:3B72D7A1799B268BCF7BEAA29AD853A7C82E3D8F1EBAF7D3A5B0E5597ED12BA4
                                      Serial:01EA62E443CB2250C870FF6BB13BA98E

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 00000184h
                                      push ebx
                                      push ebp
                                      push esi
                                      push edi
                                      xor ebx, ebx
                                      push 00008001h
                                      mov dword ptr [esp+20h], ebx
                                      mov dword ptr [esp+14h], 00409168h
                                      mov dword ptr [esp+1Ch], ebx
                                      mov byte ptr [esp+18h], 00000020h
                                      call dword ptr [004070B0h]
                                      call dword ptr [004070ACh]
                                      cmp ax, 00000006h
                                      je 00007FD3D4821CD3h
                                      push ebx
                                      call 00007FD3D4824AB4h
                                      cmp eax, ebx
                                      je 00007FD3D4821CC9h
                                      push 00000C00h
                                      call eax
                                      mov esi, 00407280h
                                      push esi
                                      call 00007FD3D4824A30h
                                      push esi
                                      call dword ptr [00407108h]
                                      lea esi, dword ptr [esi+eax+01h]
                                      cmp byte ptr [esi], bl
                                      jne 00007FD3D4821CADh
                                      push 0000000Dh
                                      call 00007FD3D4824A88h
                                      push 0000000Bh
                                      call 00007FD3D4824A81h
                                      mov dword ptr [00423F44h], eax
                                      call dword ptr [00407038h]
                                      push ebx
                                      call dword ptr [0040726Ch]
                                      mov dword ptr [00423FF8h], eax
                                      push ebx
                                      lea eax, dword ptr [esp+38h]
                                      push 00000160h
                                      push eax
                                      push ebx
                                      push 0041F4F0h
                                      call dword ptr [0040715Ch]
                                      push 0040915Ch
                                      push 00423740h
                                      call 00007FD3D48246B4h
                                      call dword ptr [0040710Ch]
                                      mov ebp, 0042A000h
                                      push eax
                                      push ebp
                                      call 00007FD3D48246A2h
                                      push ebx
                                      call dword ptr [00407144h]

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x10f20.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x5547f0x3a48
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x2d0000x10f200x11000False0.306310317096data4.93888725895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x2d1900x10828dataEnglishUnited States
                                      RT_DIALOG0x3d9b80x100dataEnglishUnited States
                                      RT_DIALOG0x3dab80x11cdataEnglishUnited States
                                      RT_DIALOG0x3dbd80x60dataEnglishUnited States
                                      RT_GROUP_ICON0x3dc380x14dataEnglishUnited States
                                      RT_MANIFEST0x3dc500x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                      USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                      ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 14, 2021 07:28:48.103780031 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.128083944 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.128288031 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.190017939 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.190541983 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.214942932 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.215382099 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.241825104 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.295159101 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.314004898 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.344969034 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.345022917 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.345057011 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.345360994 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.381767988 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:48.406395912 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:48.451350927 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.353858948 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.378302097 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.379878044 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.405571938 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.406703949 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.438637018 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.439954042 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.464122057 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.464776993 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.510333061 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.510978937 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.535233974 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.536668062 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.536798954 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.537503958 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.537579060 CEST49827587192.168.2.3185.237.206.6
                                      Oct 14, 2021 07:28:52.560749054 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.560791016 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.561378956 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.561495066 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.603018045 CEST58749827185.237.206.6192.168.2.3
                                      Oct 14, 2021 07:28:52.654861927 CEST49827587192.168.2.3185.237.206.6

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 14, 2021 07:28:47.837179899 CEST5072853192.168.2.38.8.8.8
                                      Oct 14, 2021 07:28:47.926345110 CEST53507288.8.8.8192.168.2.3
                                      Oct 14, 2021 07:28:47.958342075 CEST5377753192.168.2.38.8.8.8
                                      Oct 14, 2021 07:28:47.993088007 CEST53537778.8.8.8192.168.2.3
                                      Oct 14, 2021 07:28:50.094244957 CEST5710653192.168.2.38.8.8.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Oct 14, 2021 07:28:47.837179899 CEST192.168.2.38.8.8.80xbd07Standard query (0)mail.appalliser.comA (IP address)IN (0x0001)
                                      Oct 14, 2021 07:28:47.958342075 CEST192.168.2.38.8.8.80x50feStandard query (0)mail.appalliser.comA (IP address)IN (0x0001)
                                      Oct 14, 2021 07:28:50.094244957 CEST192.168.2.38.8.8.80x381eStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Oct 14, 2021 07:28:47.926345110 CEST8.8.8.8192.168.2.30xbd07No error (0)mail.appalliser.comappalliser.comCNAME (Canonical name)IN (0x0001)
                                      Oct 14, 2021 07:28:47.926345110 CEST8.8.8.8192.168.2.30xbd07No error (0)appalliser.com185.237.206.6A (IP address)IN (0x0001)
                                      Oct 14, 2021 07:28:47.993088007 CEST8.8.8.8192.168.2.30x50feNo error (0)mail.appalliser.comappalliser.comCNAME (Canonical name)IN (0x0001)
                                      Oct 14, 2021 07:28:47.993088007 CEST8.8.8.8192.168.2.30x50feNo error (0)appalliser.com185.237.206.6A (IP address)IN (0x0001)
                                      Oct 14, 2021 07:28:50.115859032 CEST8.8.8.8192.168.2.30x381eNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Oct 14, 2021 07:28:48.190017939 CEST58749827185.237.206.6192.168.2.3220-cp7nl.hyperhost.ua ESMTP Exim 4.94.2 #2 Thu, 14 Oct 2021 08:28:48 +0300
                                      220-We do not authorize the use of this system to transport unsolicited,
                                      220 and/or bulk e-mail.
                                      Oct 14, 2021 07:28:48.190541983 CEST49827587192.168.2.3185.237.206.6EHLO 494126
                                      Oct 14, 2021 07:28:48.214942932 CEST58749827185.237.206.6192.168.2.3250-cp7nl.hyperhost.ua Hello 494126 [102.129.143.33]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-PIPE_CONNECT
                                      250-STARTTLS
                                      250 HELP
                                      Oct 14, 2021 07:28:48.215382099 CEST49827587192.168.2.3185.237.206.6STARTTLS
                                      Oct 14, 2021 07:28:48.241825104 CEST58749827185.237.206.6192.168.2.3220 TLS go ahead

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Start time:07:27:03
                                      Start date:14/10/2021
                                      Path:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                                      Imagebase:0x400000
                                      File size:364231 bytes
                                      MD5 hash:583AE888ADBD5A79D055FBD414CC403B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Start time:07:27:04
                                      Start date:14/10/2021
                                      Path:C:\Users\user\Desktop\Purchase Order PO5351.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                                      Imagebase:0x400000
                                      File size:364231 bytes
                                      MD5 hash:583AE888ADBD5A79D055FBD414CC403B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >