Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Sample name:	a2e-enterprise.26.3.3677.2903.exe
Analysis ID:	1407717
MD5:	29c3418978dd57c42c7e9530b3aac3d6
SHA1:	08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:	22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf			Jump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf			Jump to behavior

Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB\|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE\|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL\|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

0_2_0040729B

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/disable-group-policy.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/support-request.aspx
Source: Add2ExchangeSetup.msi.0.dr	String found in binary or memory: http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.dr	String found in binary or memory: http://www.DidITbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenThe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://aka.ms/ssmsfullsetup
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/abMicrosoft.Office.Experimentation.SendTenantIdToTasMicrosof
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://config.edge.skype.net/config/v1/Officehttps://config.edge.skype.com/config/v1/Office0.0.0.0?
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com/nexus/rules/nexus/upload/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/abclientidRequestGUIDX-MSEdge-IGcorpnetflightReached
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exe
Source: SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/Microsoft_SQL_Server_Express_2022.ini
Source: SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQL2022-SSEI-Expr.exe
Source: SQL12x_to_SQL12xSP4.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLEXPR_x86_ENU_2012SP4.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLServer2008SP4-KB2979596-x86-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SSMS-Setup-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.DidItBetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.diditbetter.com/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.diditbetter.com/support-request.aspx

Installs a raw input device (often for capturing keystrokes)

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_97c23fc6-3

Detected potential crypto function

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_004171E0	0_2_004171E0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_0041525D	0_2_0041525D
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_0041239B	0_2_0041239B
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00419640	0_2_00419640
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00418D70	0_2_00418D70
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00417EF0	0_2_00417EF0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00419E80	0_2_00419E80
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00416F4A	0_2_00416F4A
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00418F60	0_2_00418F60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: String function: 0040540C appears 42 times
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: String function: 004199A0 appears 232 times

Sample file is different than original file name gathered from version info

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002B14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000000.1748755714.0000000000428000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutolog.exeN vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Section loaded: apphelp.dll

Jump to behavior

Uses 32bit PE files

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@2/93@0/0

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Add2ExchangeSetup.msi.0.dr

Binary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

File read: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: a2e-enterprise.26.3.3677.2903.exe

Static file information: File size 42987850 > 1048576

Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB\|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE\|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL\|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr

PE file contains an invalid checksum

Source: setup.exe0.0.dr	Static PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: setup.exe.0.dr	Static PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_004199A0 push eax; ret

0_2_004199BE

Drops PE files

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf			Jump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

0_2_0040729B

Source: a2e-enterprise.26.3.3677.2903.exe

Binary or memory string: ;qEMu

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_00404151 __EH_prolog,GetVersionExA,

0_2_00404151

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2Exchange Enterprise Guide.pdf	PDF document, version 1.7	E42B5D240E70A4AE87E23B646B2CE944	6811A7D2FD4B4C5B84BE239C63DF0BC22ADFBC3C	B2485A101BFBD604737D39FF4A91507292E24784F98CACCCAC48486D32249812
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2ExchangeSetup.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {6CC5F0A5-DD20-463B-A745-23226EA64FC9}, Title: Add2Exchange Setup, Subject: Add2Exchange, Author: Advantage International, Comments: A Microsoft Exchange Server synchronization program., Number of Words: 2, Last Saved Time/Date: Mon Mar 11 15:43:44 2024, Last Printed: Mon Mar 11 15:43:44 2024	2D8B406D3C360459C99E3A1BC9D1E30E	3288467999C470DC54535A831C47720C299103BE	F1B7B284704703E02471A645F7295D6678EC87DF998B2C9A90C6B3067CFB590C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf	PDF document, version 1.7, 6 pages	5717BDB29D1561AE86E08AF6459CAC84	7D74FF33E1A7299CAF9BF2F45D64F15F2F0C336A	FB6B1D910F9B44416C50E5E31E449835391B9B33FD238AA45C5BCB61465F7373
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	F23F6315632CF0B58C2243A3FA3E4D06	CD32534BAEE9CCB55C1FAF8653FC53DB22291C85	EA34C9C0CD918EF15FCE8FEED4DF83359BDE1D6E60F6632378970D73D68F36A7
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\First_Time_Installer.ps1	ISO-8859 text, with CRLF line terminators	24906D4F36602C1492A74A26C229E000	11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390	E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Links\Request Support for DidItBetter.url	Generic INItialization configuration [InternetShortcut]	A675BC61B22D603FA553D133C3A80530	69C7F69497435AE1C7045FC7646DF7E030A71D60	703F87D93902B09647F65B0A6C0FAC76AD3D3ECEFCECBA0B487D6BE5FC11CC86
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Outlook_Installer.ps1	ASCII text, with CRLF line terminators	9A6C59517107E29E7078D7B96723CB98	3511E00B4372319EF796129621FC62D4AF7A4FA5	C0553E6FA21203007BCF887EB57BACDC9E01BB3646495200A76C372030164CEF
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx64_Configuration.xml	ASCII text, with CRLF line terminators	BC70B4D7C9C7053F4C30FC1721A67D63	D9E574805F4018C7CC25C2AA97DC56DA3E0B5044	794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx86_Configuration.xml	ASCII text, with CRLF line terminators	6C49E64FFF25A2225546976F7A9BE5F6	6CC15D048275904F2E8D7AFC1F7789750FC6365E	B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx64.cmd	ASCII text, with no line terminators	E49E7FD101C66A32558FF27564234222	671A4BBE57BB7C9E872693DFA4CDC967D4329A93	72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx86.cmd	ASCII text, with no line terminators	8D16D2E6750AE5217ADBBAC538E6E89E	06126FF482AB5F91E32315DE94ECE2F39533C1BF	FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	PE32 executable (console) Intel 80386, for MS Windows	B374FA0E7E34B9CE9C142FE80E1EFADE	2537F4523B12E9801F2ACB8FE38D5D725A56A61D	A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup.zip	Zip archive data, at least v2.0 to extract, compression method=store	A00060FA16A451A14EFD4D8431CF4FA0	57EE5FF9CE2DCD217AFC03820FDF2E4A1EFB072B	5FC1DC21BE4CBC3536079157FD9C75F93EAC09C90DF836432320817E7C720F1A
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Auto_Migration.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	93424836BFC74EF4E3291D2AD4190A59	3E9240FD41C8BDD4F969D1676CB4859FA4480F2E	B9FC8E91F823BC275C8A881B9918609D646546AF25255E9F25E339544A662441
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Directory.ps1	ISO-8859 text, with CRLF line terminators	F0881E090546B066243B4E31C5871A4F	20E3AFBA20B081A484E4F6EA00E865394D7DAFC8	09DC73CEAAC643ED32120FBB7AE81BE75A922C2318A3A55ACED9042CF0350466
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_MMC.ps1	ISO-8859 text, with CRLF line terminators	6C6FE5D9C01ED59D63ABC1737A003357	B8FE156802D624D1B1322A211A572C6EC0332E33	2C9CDDAA12253497C76A7DF48A9E9845FE3D9D3289F2E5844043EDDDA57C6273
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Permissions_Commands.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	8A81C1400FFC2CD5B1FAAD465C0701EE	D26758B75BB032383464C2F5E5B020DD06FAE7D8	8CD1F3A5BB0971E36910A7B67E48E2F7C6D310FD088BDA61B498E231AE585F0B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_SQL_Backup.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	E289DC757526BB6118CCD8B234483DB7	7185C6F23862169FA3E148935909E28952FA5D08	C3C92F663B02D0E1E2B2BD46AE8A2983DC6A829EB4E4A8AF09B4D37B589D593C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Setup_Details.ps1	Non-ISO extended-ASCII text, with very long lines (485), with CRLF line terminators	8DC459D4B78D918A341B4938B1552F70	595052E1A7BA7A36D8A32AF4CC53AE1B0F85D4EF	1F27A71C9A9008D49BAF22364336AF763ACB549D260225E387746199A68D6EA8
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Add2Outlook_Set_Granular_permissions.ps1	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators	9531BBFDE471AF746FDFEEB69964B848	CAE7CAD062B3FE3EF4ED3B78BDE521823C169E99	229C448416621A50ED51125A1973D019BF3A5FE596584A4CE53E3C6AE1B0A098
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Permissions_Task_Creation.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	BB243A354ADBE069FCAF359567A51028	A224B862CEFEEE04408459E81EDC2639DAD3D2E0	7AED627FC4B85C44148A3AAAEF85B80636D388838AFDE60D62C494E53C8DEA3F
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_All_Permissions.ps1	ASCII text, with CRLF line terminators	3A7D2158C9D2F4FCB32B6E159B0B525E	26955DDF02A0ADA152B45B870A3757EE35DDB157	8E47D64B5963369453417FFC938997BEF43B15C951C57E52DF190B4BABD95276
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dist_List_Permissions.ps1	ASCII text, with CRLF line terminators	89CF421CCCE150873AA500F3758F8F5A	0B65BA14167491C7764374092CBE1B7013BC5DD0	FBE3DB3AE3ABACE46DD71EAF8FB1CFE9CDD6E5487B58FD5D94FF1ECA6BF91ECE
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dynamic_Distribution.ps1	ASCII text, with CRLF line terminators	1F7EB58896F3866ECF20359778262CC9	93116FF3EDF8528B74641019AEABE9CF53EB528B	86DC185646EA5CDFEBBB3EAB8A188F3E4A006C07C256777FB18652EAB29564D1
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_All_Permissions.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	454AD4DAF7770AA0475332B7B61F35A8	D9CAF58B50B20B15B6D713DC1C2A87CB0F421CFE	0B995601F037D76FD2B6B9746AFDCC33A29F8769772A7E26AE8DDA20B79B392A
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_Dist_List_Permissions.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	40849438C1AD17F7506ECA0AF810E5A5	622291B78908387DBE154E641D6D22496DA2C946	9E68CCDA9FA2A971FF15BEA0264A326433C9DAE2AE635E240A790ACE6C7B5F49
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_Dynamic_Distribution.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	0E3C648CF3C2A950A790C8412752F058	7AD73D971222436E5801E14AF3A43A1E49FE1E9F	528E4E9F041933014B6CBB1C1405DBBF2CEA0A5225AC56F5090D333595BFEDA7
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Shell_Permissions.ps1	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators	09F016831A4007FBC4A35EF1C5E88CDA	9AFEC61CECE26BCA466EB0F98EB1D9AD95A83D71	A1095A2035A2CCD0C20A7DB63A6A473FD1973F481C2C6995A910518320DFEA4F
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Stand_Alone_DyanmicDistList_Task.ps1	ASCII text, with CRLF line terminators	E7429B9BC39E9217F0FB503DE41E1364	0608BB8B293A11F58EEB8CAA322CAF670CD48EFA	6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Stand_Alone_Dynamic_Distribution_List.ps1	ASCII text, with CRLF line terminators	CBC1624883A282B70B867D25B380EE1C	519E9B90F6558C1B507A1B71F9706B9400FE1E40	0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_Add2Exchange.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	6BEDF8B55CAB971FF2E23CCC1EA27E7F	627234B6FF79F0780A8B7DAE89B0BDEE54F7526E	77AD9D0C0B089A83B26AAEFEA3CE8165F0EF1E32B3819AC16B3C4EF9CBCCEE21
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_Add2Outlook.ps1	ASCII text, with CRLF line terminators	4AAA734208D8E215BBAB17D855B7CF97	93840F59A560538EE2DBB7DA884D70FDE2DDAB4B	B6BF85319892EBDDA5FA5CF47F59531153C463D33A1D74C39D3C704CE2405556
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_RMM.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	2FB639DA7949E56BAA214AE840F13E0B	AC820AE801AB94D6041B5CA11921E53DD31BA232	2A4E8368A8A7CCAFDE0E226BB499A53A5F265DFBFB48155221C1AD067D7CB072
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_ToolKit.ps1	ASCII text, with CRLF line terminators	28E59560B884DA8763573D7B485297E4	05507AC499BF399373C168177ECBC4DD4E60ADD5	919D7C612EA6790AE25373037E04AE138356135124F83A4A2C9253D3CB42014C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	PE32 executable (GUI) Intel 80386, for MS Windows	607A332709458F781C20AB49940C4B64	923409BE6C1B183C74DA221DD23A42B4B981BA19	324C64D24818A0BE63A43A8DF678B88DCA4F8959841F91F4875CC6ED0E93F549
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Bypass_AutoDiscover.ps1	ASCII text, with CRLF line terminators	E4178F8743EFBCF5C913DF3B0C0A67EF	63F9EFBB79FDD3E92DBCB446CD63F41BF0E419E7	10BEAABFD5D7E3DB3BFF5DEDF25FA115B70603CB4C7B3F984240488D3FE93DEC
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\DiditBetter_Support_Menu.ps1	ASCII text, with CRLF line terminators	3243E53FE3DC8EBDD8DD2D9C82862EB2	C2FE83D72161EF9A3D8FB01E84B7F2621832E296	2C3173702001100EDA5538994095561DA59B7023E34EF1F748F2634FA5B39B9B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Dir_Sync.ps1	ISO-8859 text, with CRLF line terminators	F15B2367D478E08070CF913EFF9775A4	3B239969D571EC0F29E4C88D7ACF783FDB3EC50F	9853B16C6DC415B0FE4D19FC9929D987CEEFFDBC65BAD3C5426CDAA4897CD5EC
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_Modern_Authentication.ps1	ASCII text, with CRLF line terminators	DAC366EB2AC0C56F103FCE8F00DFE019	390268DFFE32FE42E167CDC5BD95F2FD1BF63C7C	AEAE6072BC4BA590E63D789457E46EFCB5FDC1EDC9A5E49C850D834E8ABED797
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_Outlook_Updates.ps1	ASCII text, with CRLF line terminators	4D42BA60AD65211D97ACD062F44E7332	01847AA3E0AF6DB359AD6F1C95D68C20F9C24C11	21C7370D4D2A23DF0F8C3DF41077AF150497F526B25FAC566C705AAF6DD005B8
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_UAC.ps1	ASCII text, with CRLF line terminators	06EF6793B7BB09AC2DCA61E6B9CD8E9F	19389578400B32411CC079DA4BB84433340A0DAF	7168CE2EE7EDF60478CA33A20070A43EF5825ABF2596CFE14CAB6299B76AC7CA
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\EXModule_dotNET_Update.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	690CA58ED8C9BA7684EE98C8AD8CA515	89F8AE137ADFE3B97D67564CDB301FA178D6756E	3C80256C8C465767B21829577643B47DE98E91A129C562016F18FF2F2E0BF283
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Export_ADPhoto.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	73B703ABFEE693CFE74DA332CE4D6306	02BA53EC7F923158E3D0F72010E69AF9A983665C	921FCEFFB82CA49BD1BB8B546C375FC43A701DE8976DB41655ED8807050B8B0B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Export_License_and_Profile1.ps1	ISO-8859 text, with CRLF line terminators	67BCE29BD16BD783041BE4C485263227	F6B6570F9C474666ABEA3E36FB66CF5446A3AF7C	A6DCFAB242B14EEB55F98F0055AB46856BDAED46FEC060719E91177082039C93
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\First_Time_Installer.ps1	ISO-8859 text, with CRLF line terminators	24906D4F36602C1492A74A26C229E000	11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390	E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\GP_Results.ps1	ASCII text, with CRLF line terminators	D8F3B0F174893BFD6855097BCF188C38	5D3CC8271B4E8F192368369E8F8D1A6C651AA9E7	891FB63F37784A2D77653278198C3B1CEEC2F923BE32A1FBFE38D3284E29ED26
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Get_Diags.ps1	ASCII text, with CRLF line terminators	2F9F4E1534713C5F75B2D1569B4980C8	D317F95060E851D36DE749BD0C3EA164331FACE9	D294B5769B0DFE14ED596287FD3676D7FD8F034DFC3D9844AE8D6AD9F25DF870
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Legacy_PowerShell.ps1	ASCII text, with CRLF line terminators	38AC352720450197714B1C8A9A32ACE3	D3C6469DC5B28659DEFA3B7DCA680B78463C1135	E52FFA8E1FD828987EE62B2975DBD7900EB138EBE95FA03F6BD66B0A07269FB3
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\MSExchangeDelegation.ps1	ISO-8859 text, with very long lines (321), with CRLF line terminators	C3B6051BFF57D81301759DFF51EDE1C5	C65685554BA7717D9980D46FBE9A52B4FEE60F90	202D5AA879A1511C7F8EB926B6A5AD98DBF9D13443CD54C9D8414C142DFE9B09
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\OSC_Disable.bat	ASCII text, with CRLF line terminators	59FDCC52E51AC335C4D24CD27A0FD8BC	019DDC5FD0193C995CA930959E4A8F8BB38C03AC	3B123AA11B50E117A4FBA11ED03922121F64ED5C8D64DA30F0AEACEC78F0C820
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Office_Updater.ps1	ASCII text, with CRLF line terminators	F7AFFC19CB6DD094845898341D7F08B7	57BF666D2BC57314E4B1CDAFB859E02FD87ABFAD	8DA1870CAC7721E842024BE4653DEA71D8799F7DFB1BD598DCCFD4E639F7F1BF
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Installer.ps1	ASCII text, with CRLF line terminators	D44914C6A4C7369D3C627CD4E10BD2D1	7C216AF33F406E83EE06FCC19084A8667AE47DED	6320EA3B5D06B458781D3EA9411C9E80BBFE6352A3C9D714A371333883D1032A
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Profile_Set.ps1	ISO-8859 text, with CRLF line terminators	880A9575A59B6D1B592248FAC5EE0571	4807DD3AF489E41FAB399745F0B57722FDBE5DE5	84205172A09054014BB37A59CC32A75D21C941CDBE6D570424AA9544A6BBC670
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Tools_Menu.ps1	ASCII text, with CRLF line terminators	140B1F8CA61563B37C91750045ECBF87	28354FA245E5310B8C74F240EEF115B9C41D44E6	3E7B62BD9BBE9222449438EDBAC7198C5BAF01E77D32E19FDABAC645293AA10A
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\PermissionsOnPremOrO365Combined.ps1	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators	7E4D25A72B3C66B9434B31C57E06F287	80A029D83FF84BDB3239FEC19ED6D7276582098C	3A95B367EAAFB21B83C53F3BF8BC252180315FB419B155A5AB9C50003C1A6309
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Permissions_Task_Creation.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	84A7CA382672E2CC2AC294809F5DD084	C8B5AEB08A1C2244429D9D1C2FDCA193D721C458	F5CB96173BFF7C6DC81C01CC6416E9D384A6ECEC64ABEDAA95E1BD023DAE3038
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Post_A2E_Migration.ps1	ISO-8859 text, with CRLF line terminators	75631EEEF162F81CA161A59E63693945	37B8587D9228B52CC88F6234E533B771C7CE78CA	0F84D9670388289E3DED4D3500656D20DA4E976CA8831B3CE8E1C95D0AD58A86
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Public _Folder_to_Address_Book.vbs	ASCII text, with CRLF line terminators	A7171DD633A4B2F800DF6102D7E93DC0	0969D0388FBE550FFB679E331B2217C37BBC1D00	E93783BCF685866CDD02275E987EA5F2266FCDF50465578D132F2549A85BD634
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\REARM_Office.ps1	ASCII text, with CRLF line terminators	D3AF23D1D7084FC8BE912E016D51B4FF	D1B3DC03B0419669FD8BAA02D1343875693DD253	0B2157D302BCAE924480D48254111A363EAB87933881A105FCB300B528041E25
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Registry_Favorites.ps1	ISO-8859 text, with very long lines (342), with CRLF line terminators	AF59015B32AE299D4428243674C54706	6B2A86DD040D579348F32F4FCC349729514491A5	FFF79D64EDF0F517CCC529A88E21D3A3974BE82E9B209EDDAC0B1048943414BC
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Reset_A2E_Password.ps1	ISO-8859 text, with CRLF line terminators	6D9B75BDE724C06B10B6A2BF461859C9	9AC9C9CD2F844E174CBF56A6D3C66B34E911C5E5	D85A2F7527A2126274FB31CBD8CE40BEF76F652EB7C3307A1DB62B2F3A896253
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Firewall_Rules.ps1	ASCII text, with CRLF line terminators	5D15CC681D31E58EB755EDF96DAB987F	045A9EE48903AC50B494A0716A8751BAA0942F4F	298CE83535B8F62B324ACF467722EB89E114AB09687883FCA5B27CF08E57A627
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL12x_to_SQL12xSP4.ps1	ISO-8859 text, with CRLF line terminators	0B20B6F052DFDB6E1C3A69AF0030ACB8	0F1461CF9E7616F04A0F94C054C895A1850F6CF6	543708058ADB5F3AC204995B2EC266AA39766FE8DEA0CB3A893673A2139DEB3B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL12x_to_SQL22x.ps1	ISO-8859 text, with CRLF line terminators	AD4A1E79C7603CBCCBDC37A9109C498C	4332F28C590CED2B9B9EA66CF8EE78D28E494E53	BA17D1CFF354EF35C11C62D9DAEBCD5357D2E51EEA89EFEFAC29ED912E6D6813
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL17x_to_SQL22x.ps1	ISO-8859 text, with CRLF line terminators	F1C85E7B65D147DD29AE2AE410AEC21A	4CA83E0864F3AE91B15987896AC741DA42D28472	D5E8B1EC255797D5797F36F9B6B81E37D912E2D5E911428EC88CC055764463C0
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL8x_to_SQL12x.ps1	ISO-8859 text, with CRLF line terminators	EBA62744DFE66991433BAF7FC0BAEBF5	137385A79E897DF5C0D0FC6AEFEDDDB8CC4385D7	9AD9453564BABC5EB58CB18243E094C5CB8BA753009724393517185E1AFDE7BB
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL8x_to_SQL8xSP4.ps1	ISO-8859 text, with CRLF line terminators	1A8612F6E5EF271B6308386FAFCAC2FC	C12001B6714417A25E9D33CBB5E0E3E28FC0C8AB	A02286A6251AA589C3A01D14DAD72E6A973C5CE3247775ACBDF0A0002702202C
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQLExpress_Main_2022_Upgrade.ps1	ISO-8859 text, with CRLF line terminators	1ADD9F6985014CB6D580776FB1ED7184	6037CE1867FDAECD5AB96619330C7056B81A667E	F396B1B7C0812275DC5A3F9F46881FFB8D1BA9A9AC356AFCDC9571E8F1911D61
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL_Management_Studio_Quiet_Install.ps1	ASCII text, with CRLF line terminators	D1BC3C992B5D78090C375480B7BE9D3B	7FE5F2FBC111E6B863326F74D24438169CA680EC	53E87C98740D6CF268B641B55133958EA6A729DCEB04E71FAB13710B3861D4F0
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Scheduled_Update_Add2Exchange.ps1	ISO-8859 text, with CRLF line terminators	AFB9AADF777A7A19E1AE27D5FD22514F	0C1A6A7F0E6D22BC7A635C266868682D7DDEEF1A	DD988CFD11109E1E7875D41607916EC30B73F4DDDF310515BD15E762A36058D8
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx64_Configuration.xml	ASCII text, with CRLF line terminators	BC70B4D7C9C7053F4C30FC1721A67D63	D9E574805F4018C7CC25C2AA97DC56DA3E0B5044	794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx86_Configuration.xml	ASCII text, with CRLF line terminators	6C49E64FFF25A2225546976F7A9BE5F6	6CC15D048275904F2E8D7AFC1F7789750FC6365E	B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx64.cmd	ASCII text, with no line terminators	E49E7FD101C66A32558FF27564234222	671A4BBE57BB7C9E872693DFA4CDC967D4329A93	72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx86.cmd	ASCII text, with no line terminators	8D16D2E6750AE5217ADBBAC538E6E89E	06126FF482AB5F91E32315DE94ECE2F39533C1BF	FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	PE32 executable (console) Intel 80386, for MS Windows	B374FA0E7E34B9CE9C142FE80E1EFADE	2537F4523B12E9801F2ACB8FE38D5D725A56A61D	A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Shell_Into_Exchange.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	4ABCE57C7D70986A012F11683C23D47F	4B7CD4E02EDBE9D04A489196A0465A228A5DD39D	5507006FEDCC5410CAB7C9DC33C0B52E6E919697DD46EEC2F3733E3803887CFD
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Shell_Permissions.ps1	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators	BF7B956A983D4C2B772F143AC437F401	BB5902AAF9844CC9C0786884F8B35D052BE13B4A	51250044F351B81A1A8E38C1EFD47DCB99312DAAAAE15F1A2CA856E0D0E42E73
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_All_Permissions.ps1	ASCII text, with CRLF line terminators	A119485189BCC14AC82C12ADCA54E81E	5CFE9A212D000E8F367B83B1F39474B99F89CD55	25CA6D42AEE88E873C065741F37959D148A07A41CCC8B393ACB05C7B9F3729CB
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_Dist_List_Permissions.ps1	ASCII text, with CRLF line terminators	65AEF2EBB5A702F05BDDB39426D22E9E	A40DB715731183703E8E0D9B8D883D039E64D1C0	A57544B50D040A836A9AFA3334EC7820AD4A11CE3B1E22563BD68183296B1802
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_Dynamic_Distribution.ps1	ASCII text, with CRLF line terminators	399F572DA4C7F58117067DD1D70AB422	03CC2AFDF3AF84E147F0E0A934B094D32FB0460E	BB60CC3AB32A798ABAD83A52224C2A665B43FD0B389B5FEF8FD146BB8ECFC281
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_All_Permissions.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	4CEE73D454FF52AD206F6779B8C1B1C2	2AFF775DEBB685870CB1027DFB629709134C78AD	CFFE62C1DD72BB82A9B1FF47092FD096B2A5DF219778CDA5D9D0B61B86E72E6B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_Dist_List_Permissions.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	29DCE03F380B4119D910F6916C83E553	C094CFF3C3D9B460F44F7CF61CA78C8D1F84122D	3B92B4559CBB46C25330E2D1272C1946928A896B0FEC503A2C2624C7E35509F7
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_Dynamic_Distribution.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	9DB45E661D4F1819D5C2119BA8EBE6F7	43F8E5466B03431EE886981A1A6D15AC4CBF09C4	91B84050C3505A65F63C4084DE97CEB183BB2131C5ECE05E1FD5B2C9385A5271
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Stand_Alone_DyanmicDistList_Task.ps1	ASCII text, with CRLF line terminators	E7429B9BC39E9217F0FB503DE41E1364	0608BB8B293A11F58EEB8CAA322CAF670CD48EFA	6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Stand_Alone_Dynamic_Distribution_List.ps1	ASCII text, with CRLF line terminators	CBC1624883A282B70B867D25B380EE1C	519E9B90F6558C1B507A1B71F9706B9400FE1E40	0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed_A2E_SQL_Backup.ps1	Non-ISO extended-ASCII text, with CRLF line terminators	3AAAC6808F523B20E401258345F64C9B	D69BE6F4135500FC2E9312F3F5091FDA06CDB046	E54C2AB3CA3FAD2491C022C763744D6F82998734F616801F049B21266029BE1D
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Windows_Defender_Exclusions.ps1	ISO-8859 text, with CRLF line terminators	65BAF2C4AECB3C31BD9F5D991FB5F666	7AAC1911A4A0E2235AD4BAC1F8D03DDFC863F4C5	65DB9ADCFD894401F42E618FCD973498F2D86563BF7B12687A9AFCC0B3BF65E4
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\shell.ps1	ASCII text, with CRLF line terminators	0C3D59CF2897ACE0354138628A349F9A	D3CD0F829B6C162C77C68FFC137E89392E573410	E81BF291B9B93BDD31AAB066D2E4078C3C2D9EC8A5BFC802DD910C59F47361DD
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\Logging\gollevel.xtx	ASCII text, with no line terminators	FB5B87D7E7127C6CCBB0D47B99C98629	D0E38F05930EF0AC54BF5A2C555B5013BF7B8145	120C7DC65B2424AAC3D64B06D0F28C1CFB41553A0294C99DFCBC6B750428430B
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\Mapi\ExchangeMapiCdo.MSI	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Messaging API and Collaboration Data Objects 1.2.1 v6.5.8320.0, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {EB06CAF7-FF9E-4e70-B2DC-20D0B3E4A188}, Create Time/Date: Mon Apr 29 10:13:53 2013, Last Saved Time/Date: Mon Apr 29 10:13:53 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (candle/light), Security: 1	1C0E9FD7CB73D8E40802FA2F535B2D96	F109F0E751D0B358C9D5DEE1322738609E07EA2E	40480D120D9A4349716471B75015FFC08313B541A8E303E326F2A2809EA98731
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\OutlookTools\Autodiscover\365autodiscoverOutlook13.reg	Windows Registry text (Win2K or above)	6650B0C072434405DF42D91C81A1573C	D5EF1E3A4408F8FBDC0A514C1F411627FCEA1F98	D5157FAE52FF0A7CF3D0BFC204EA1674AA117267241B95F1FF90A87F2DA2F612
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\OutlookTools\Autodiscover\365autodiscoverOutlook16.reg	Windows Registry text (Win2K or above)	98DD72DEF80AB5D47318F76A726EAFBF	A596F1DC0D4060B90872ABD75C5AA587B55469D6	224D9957C0368840C9677FAB790B7978AD85F8CBE1F4C344853D4ABB2E19FC8E
\Device\ConDrv	ASCII text, with CRLF line terminators	D2AE156D41D73955EF95375E429E5B8A	42DF0552AE25A3C214CDB14B2E26DAF136CB2820	BE67C2179BF4F732A1F1DDC529F0DEC5BA18728804EDB6EDF889EC5CAB402168

ID:	1407717
Product:	CloudBasic
Start time:	18:06:47
Start date:	12.03.2024
Sample:	a2e-enterprise.26.3.3677.2903.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	29c3418978dd57c42c7e9530b3aac3d6
SHA1:	08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:	22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe