Windows Analysis Report
Purchase order 450080088 proj. Allt Charnan.exe

Overview

General Information

Sample Name:	Purchase order 450080088 proj. Allt Charnan.exe
Analysis ID:	626538
MD5:	152ef22896bf39197d210d40171e898a
SHA1:	bdd88e03d9131d7f35e0bfadbed02010d231a1bd
SHA256:	5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Creates processes with suspicious names

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 29.0.jVULYR.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "aborderias@transmase.com", "Password": "pass@111", "Host": "smtp.transmase.com"}

Multi AV Scanner detection for submitted file

Source: Purchase order 450080088 proj. Allt Charnan.exe	Virustotal: Detection: 37%			Perma Link
Source: Purchase order 450080088 proj. Allt Charnan.exe	ReversingLabs: Detection: 61%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NpPgfycY.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: Purchase order 450080088 proj. Allt Charnan.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NpPgfycY.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 29.0.jVULYR.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.2.jVULYR.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 29.0.jVULYR.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 29.2.jVULYR.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.0.jVULYR.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.0.jVULYR.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.0.jVULYR.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.0.jVULYR.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 29.0.jVULYR.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 29.0.jVULYR.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 29.0.jVULYR.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 25.0.jVULYR.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8

Uses 32bit PE files

Source: Purchase order 450080088 proj. Allt Charnan.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Purchase order 450080088 proj. Allt Charnan.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: SZArrayEnumera.pdb source: jVULYR.exe, jVULYR.exe, 00000019.00000000.348771513.00000000009B2000.00000002.00000001.01000000.00000009.sdmp, jVULYR.exe, 0000001D.00000000.371444039.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, jVULYR.exe.9.dr, NpPgfycY.exe.0.dr

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
Source: global traffic	TCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
Source: global traffic	TCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587

Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: jVULYR.exe, 0000001D.00000002.520269819.000000000316E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000003.480252697.0000000000D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2FcFU77ZypH.org
Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://TwQUlE.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244802747.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.transmase.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com7
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaL
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comceu
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comh
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comituL
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commS
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn:
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnaiL
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cne-d
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cng
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn~
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255349808.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255002822.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.254913650.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255131346.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255062247.0000000005E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244343928.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244364704.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%appdata
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: smtp.transmase.com

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe

File written: C:\Windows\System32\drivers\etc\hosts

Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.cs	Large array initialization: .cctor: array initializer size 11617
Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.cs	Large array initialization: .cctor: array initializer size 11617

Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D44358	0_2_02D44358
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D4BC20	0_2_02D4BC20
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D44348	0_2_02D44348
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D440B8	0_2_02D440B8
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D440A9	0_2_02D440A9
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AAB338	0_2_07AAB338
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AA2C3F	0_2_07AA2C3F
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AA1900	0_2_07AA1900
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AA1910	0_2_07AA1910
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_00FCF080	9_2_00FCF080
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_00FCF3C8	9_2_00FCF3C8
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_00FC6120	9_2_00FC6120
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BFCCF8	9_2_05BFCCF8
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BFBF98	9_2_05BFBF98
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BF9AE0	9_2_05BF9AE0
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BF1FF8	9_2_05BF1FF8
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BFB1C2	9_2_05BFB1C2
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_05BF0040	9_2_05BF0040
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B9F88	9_2_064B9F88
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B8520	9_2_064B8520
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B3330	9_2_064B3330
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_01274358	20_2_01274358
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_0127BC20	20_2_0127BC20
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_012740A9	20_2_012740A9
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_012740B8	20_2_012740B8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_01274348	20_2_01274348
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_08CD9E40	20_2_08CD9E40
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_08CD15F7	20_2_08CD15F7
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_08CD02C8	20_2_08CD02C8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_08CD02B8	20_2_08CD02B8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A4358	23_2_011A4358
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011ABC20	23_2_011ABC20
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A40B8	23_2_011A40B8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A40A9	23_2_011A40A9
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A4348	23_2_011A4348
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_08D59E40	23_2_08D59E40
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_08D502C8	23_2_08D502C8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_08D502B8	23_2_08D502B8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_08D515F7	23_2_08D515F7
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_02C0F380	25_2_02C0F380
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_02C0F6C8	25_2_02C0F6C8
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_02C06560	25_2_02C06560
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_02C0CBE4	25_2_02C0CBE4
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_05792120	25_2_05792120
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0579F86B	25_2_0579F86B
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_05790040	25_2_05790040
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0579C820	25_2_0579C820
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0579BAD0	25_2_0579BAD0
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06348B77	25_2_06348B77
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0634DB40	25_2_0634DB40
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06342FC0	25_2_06342FC0
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0634586D	25_2_0634586D
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06342E70	25_2_06342E70
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06340A40	25_2_06340A40
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06343FB0	25_2_06343FB0
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0634B158	25_2_0634B158

Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000000.239580570.0000000000BD8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.293254846.0000000007A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000008.00000000.278239975.0000000000378000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000000.279735908.00000000007B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.512965723.0000000000B58000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase order 450080088 proj. Allt Charnan.exe
Source: Purchase order 450080088 proj. Allt Charnan.exe	Binary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe

Source: Purchase order 450080088 proj. Allt Charnan.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NpPgfycY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jVULYR.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe "C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe"
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Process created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01

Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: NpPgfycY.exe.0.dr, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: NpPgfycY.exe.0.dr, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: NpPgfycY.exe.0.dr, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: jVULYR.exe.9.dr, Ej/rT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D48DEE pushad ; retf	0_2_02D48DEF
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_02D490DC pushad ; retf	0_2_02D490DD
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AA65E5 push edi; retf	0_2_07AA65E6
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 0_2_07AA4AD5 push edx; iretd	0_2_07AA4AD6
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_00FC2F10 push ss; retf	9_2_00FC2F3D
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B9A25 push ss; retf	9_2_064B9A27
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B072C push 0000001Ah; retf	9_2_064B072E
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B3330 push es; iretd	9_2_064B41D0
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B3330 push es; iretd	9_2_064B41E0
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B2C74 push 0000001Ah; retf	9_2_064B2C76
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064BDCE5 push 0000001Ah; retf	9_2_064BDCE7
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B18F6 push es; ret	9_2_064B1910
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B18AA push es; ret	9_2_064B18C4
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B18BD push es; ret	9_2_064B18C4
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B2177 push edi; retn 0000h	9_2_064B2179
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B1909 push es; ret	9_2_064B1910
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B41D9 push es; iretd	9_2_064B41E0
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B41D1 push es; iretd	9_2_064B41D8
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Code function: 9_2_064B15F7 push 0000001Ah; retf	9_2_064B15F9
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_01278DEE pushad ; retf	20_2_01278DEF
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_012790DC pushad ; retf	20_2_012790DD
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_05183F76 push edi; iretd	20_2_05183F77
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 20_2_08CD348D push edx; iretd	20_2_08CD348E
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011AA64B pushad ; retf	23_2_011AA64C
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A8DEE pushad ; retf	23_2_011A8DEF
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A90DC pushad ; retf	23_2_011A90DD
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_011A981A pushfd ; iretd	23_2_011A981E
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 23_2_08D5348D push edx; iretd	23_2_08D5348E
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_05799990 push 0000001Ah; retf	25_2_05799992
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_0579985B push 0000001Ah; retf	25_2_05799866
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Code function: 25_2_06344B0B push ss; retf	25_2_06344B0D

Source: initial sample	Static PE information: section name: .text entropy: 7.75961172037
Source: initial sample	Static PE information: section name: .text entropy: 7.75961172037
Source: initial sample	Static PE information: section name: .text entropy: 7.75961172037

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: \purchase order 450080088 proj. allt charnan.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File created: C:\Users\user\AppData\Roaming\NpPgfycY.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYR			Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYR			Jump to behavior

Source: Yara match	File source: 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR

Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Windows Analysis Report Purchase order 450080088 proj. Allt Charnan.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
Purchase order 450080088 proj. Allt Charnan.exe

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6592	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 2376	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436	Thread sleep count: 4140 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436	Thread sleep count: 4455 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7088	Thread sleep time: -45733s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7016	Thread sleep time: -45733s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920	Thread sleep count: 3147 > 30
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -59500s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920	Thread sleep count: 4125 > 30
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -52688s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -48376s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -44594s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5660	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5664	Thread sleep count: 4186 > 30
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7104	Thread sleep count: 2293 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6818	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1776	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Window / User API: threadDelayed 4140	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Window / User API: threadDelayed 4455	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Window / User API: threadDelayed 3147
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Window / User API: threadDelayed 4125
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Window / User API: threadDelayed 4186
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Window / User API: threadDelayed 2293

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 45733
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 45733
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Thread delayed: delay time: 922337203685477

Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Process token adjusted: Debug	Jump to behavior

Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: NpPgfycY.exe.0.dr, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: jVULYR.exe.9.dr, Ej/rT.cs	Reference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Source: Yara match	File source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities